nfs through your firewall
augie
schwer at sonic.net
Sat Jun 22 23:26:34 PDT 2002
this is my experience trying to get nfs through my firewall, i hope this
helps anyone trying to do the same.
the short: Mandrake 8.2
#allow gohan to mount an nfs on goku
${IPTABLES} -A INPUT -s gohan -d goku -i eth0 -p udp --dport 2049 -j ACCEPT #nfs
${IPTABLES} -A INPUT -s gohan -d goku -i eth0 -p tcp --dport 111 -j ACCEPT #sunrpc
${IPTABLES} -A INPUT -s gohan -d goku -i eth0 -p udp --dport 111 -j ACCEPT #sunrpc
${IPTABLES} -A INPUT -s gohan -d goku -i eth0 -p udp --dport 745 -j ACCEPT #mountd
add the line 'MOUNTD_PORT=745' to your /etc/sysconfig/network
the long:
for awhile now i've been using nfs to move files in between by laptop and
my main pc, but i would have to shutdown the bastille-firewall everytime i
wanted to do it. so today i sat down and figured out how to poke a teeny
little hole in the firewall to allow such traffic through.
i'd never tried to write any rules myself so i headed over to
www.nblug.org/firewall to have a look at some of the great examples frank
has up there. there is even one for allowing nfs.
http://nblug.org/firewall/firewall.2_4.masq-server
# NFS
$IPT -A INPUT -s $LOCALNET -i eth0 -p tcp --dport 2049 -j ACCEPT
$IPT -A INPUT -s $LOCALNET -i eth0 -p tcp --dport sunrpc -j ACCEPT
$IPT -A INPUT -s $LOCALNET -i eth0 -p tcp --dport 745 -j ACCEPT
$IPT -A INPUT -s $LOCALNET -i eth0 -p udp -j ACCEPT
but i was confused by the port 745 reference, and a little nervous about
allowing all udp packets. port 745 seems to be unassigned
(http://www.iana.org/assignments/port-numbers). so i wasn't really sure
what part that played.
the rpcinfo tool really helped me here. use it with the -p option to see
a list of registered RPC programs. from this i figured what frank meant by
port 745 was mountd. but my mountd was using ports in the 30k range which
made me wonder if after i rebooted these numbers would change, and my new
firewall rules would be useless.
my answer came from where most answers in the linux world come from, the
man page:
rpc.mountd(8)
-p or --port
Force rpc.mountd to bind to the specified port,
instead of using the random port number assigned by the
portmapper.
now i had to find out where the rpc.mountd command got called so i could
pass it my static port of 745. luckily for me it was in the first place i
looked, the init file for nfs. /etc/rc.d/init.d/nfs from this script i
figured out that it looks for some options in /etc/sysconfig/network one
of them being MOUNTD_PORT which was exactly what i needed. so i added the
line MOUNTD_PORT=745 to my network file, and presto! mountd starts on 745
each time.
a few caveats.
if you use bastille like i do, then you will have to
replace the word INPUT in the top script with whatever interface chain you
mean. bastille seperates it's interfaces into three sections: trusted,
public, and internal. i considered my interface to be public so the chain
i had to append my rule to was PUB_IN. if you consider your interface on
your lan to be internal, then you would use INT_IN.
also i'm not clear on why i had to accept both udp and tcp packets for
sunrpc, but i do know that it didn't work without them both.
hope this helps.
-augie
--
"A good programmer is someone who looks both ways before crossing a
one-way street." - Doug Linder
registered linux user #229905
More information about the talk
mailing list