[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[rhelv5-list] NFS root & iptables



I'm using an NFS root filesystem on a diskless system with Red Hat EL5,
and see problems if iptables is enabled. I'm using NFS v3 over TCP when
the problems happen, but switching to UDP causes everything to work.
However, for various reasons, we'd like to continue using NFS over TCP.
The iptables configuration is normal, except for adding ports 161
udp/tcp and 162 udp for SNMP monitoring.

The symptoms and analysis so far: Boot proceeds nicely until iptables
starts, and then it hangs for 10-15 minutes trying to load the
ip_conntrack_netbios_ns kernel module. If I force it to not load that
module, by commenting it out of /etc/sysconfig/iptables-config, then the
startup hangs on 'touch /var/lock/subsys/iptables', which is a file on
the NFS server, since we're booting diskless.

Using ethereal on the NFS server (a RHELAS4u4 box) shows a lot of NFS
traffic from client to server and back, until the moment that iptables
starts, when an NFS GETATTR reply packet from server to client gets
blocked by iptables with an ICMP 'host administratively prohibited'
packet. This causes a very long sequence of NFS and TCP retransmissions,
which finally stop when the iptables service is up, I assume. In any
case, after a long hang, the boot completes.

So, my question is: does the iptables startup block all traffic for a
while until the configuration is read and processed, modules loaded,
etc.? If so, how does this square with a diskless client where the files
are all on an NFS server, and how do I get around this problem without
disabling iptables?

Thanks,

Chris


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]