iptables and nfs - Redhat

This is a discussion on iptables and nfs - Redhat ; Hello, I tried to configure /etc/sysconfig/iptables to support nfs on a RH9 machine. When the iptables is down , I do succeed to mount nfs like that: mount -t nfs -o rw,hard,nolock,intr 192.168.0.18:/export /mnt/nfs But when I start iptales (service ...

+ Reply to Thread
Results 1 to 13 of 13

Thread: iptables and nfs

  1. iptables and nfs

    Hello,

    I tried to configure /etc/sysconfig/iptables to support nfs on a
    RH9 machine.

    When the iptables is down , I do succeed to mount nfs like that:

    mount -t nfs -o rw,hard,nolock,intr 192.168.0.18:/export /mnt/nfs

    But when I start iptales (service iptables start) , when
    I try to run this mount command I get the following error:


    mount -t nfs -o rw,hard,nolock,intr 192.168.0.18:/export /mnt/nfs

    mount: RPC: Unable to receive; errno = Connection refused
    mount: nfsmount failed: Bad file descriptor
    mount: Mounting 192.168.0.18:/exported on /mnt/nfs failed: Invalid argument

    Now , I had tried to change , in /etc/sysconfig/iptable, 2 lines:

    -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j ACCEPT
    -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j ACCEPT

    as I see in /etc/services that the nfs port is 2049.

    I do get the same error.


    what to do ?
    Any idea?

    any help will be appreciated.


    Q. John

  2. Re: iptables and nfs


    "john" wrote in message
    news:19778961.0405100509.fdbe55c@posting.google.co m...
    > Hello,
    >
    > I tried to configure /etc/sysconfig/iptables to support nfs on a
    > RH9 machine.
    >
    > When the iptables is down , I do succeed to mount nfs like that:
    >
    > mount -t nfs -o rw,hard,nolock,intr 192.168.0.18:/export /mnt/nfs
    >
    > But when I start iptales (service iptables start) , when
    > I try to run this mount command I get the following error:
    >
    >
    > mount -t nfs -o rw,hard,nolock,intr 192.168.0.18:/export /mnt/nfs
    >
    > mount: RPC: Unable to receive; errno = Connection refused
    > mount: nfsmount failed: Bad file descriptor
    > mount: Mounting 192.168.0.18:/exported on /mnt/nfs failed: Invalid

    argument
    >
    > Now , I had tried to change , in /etc/sysconfig/iptable, 2 lines:
    >
    > -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j ACCEPT
    > -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j ACCEPT
    >
    > as I see in /etc/services that the nfs port is 2049.


    From the looks of it , our mount command may not be right.

    The format for it should be :
    mount :/ /mnt/

    From your mount command it should be something like

    mount 192.168.0.18:/export /mnt/nfs

    Some of the options you have , specifically "hard" means that if there is a
    problem with NFS , then the system will hang , you should change this to
    "soft" so that if there is a problem , the system won't hang.
    Also check the host directory "export" against the entry in your mount
    command , in the above error message , is says "exported" is the directory.

    To mount your file system in /etc/fstab use

    192.168.0.18:/export /mnt/nfs nfs exec,dev,suid,rw,soft 1 1

    ( note the last 2 entries , these are 1 & 1 , not 11 (eleven ) )

    Try mounting NFS on boot up using /etc/fstab and the above entry and see how
    you go.

    HTH

    --
    Sandgroper
    ----------------------------------
    Remove KNICKERS to Email
    steveray@KNICKERSiinet.net.au






  3. Re: iptables and nfs

    On Mon, 10 May 2004 06:09:16 -0700, john thoughtfully wrote:

    > Hello,
    >
    > I tried to configure /etc/sysconfig/iptables to support nfs on a
    > RH9 machine.
    >
    > When the iptables is down , I do succeed to mount nfs like that:
    >
    > mount -t nfs -o rw,hard,nolock,intr 192.168.0.18:/export /mnt/nfs
    >
    > But when I start iptales (service iptables start) , when
    > I try to run this mount command I get the following error:
    >
    >
    > mount -t nfs -o rw,hard,nolock,intr 192.168.0.18:/export /mnt/nfs
    >
    > mount: RPC: Unable to receive; errno = Connection refused
    > mount: nfsmount failed: Bad file descriptor
    > mount: Mounting 192.168.0.18:/exported on /mnt/nfs failed: Invalid argument
    >
    > Now , I had tried to change , in /etc/sysconfig/iptable, 2 lines:
    >
    > -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j ACCEPT
    > -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j ACCEPT
    >
    > as I see in /etc/services that the nfs port is 2049.
    >
    > I do get the same error.
    >
    >
    > what to do ?
    > Any idea?
    >
    > any help will be appreciated.


    I use something like:

    -A RH-Firewall-1-INPUT -s 192.168.0.0/255.255.255.0 -d
    192.168.0.0/255.255.255.0 -p tcp -m state --state NEW
    (or --state RELATED,ESTABLISHED) -m tcp --dport 2049 -j ACCEPT

    > Q. John






  4. Re: iptables and nfs

    The error says it all. RPC.

    Have to allow sunrpc (111) as well.

    qwejohn@hotmail.com (john) wrote in message news:<19778961.0405100509.fdbe55c@posting.google.com>...
    > Hello,
    >
    > I tried to configure /etc/sysconfig/iptables to support nfs on a
    > RH9 machine.
    >
    > When the iptables is down , I do succeed to mount nfs like that:
    >
    > mount -t nfs -o rw,hard,nolock,intr 192.168.0.18:/export /mnt/nfs
    >
    > But when I start iptales (service iptables start) , when
    > I try to run this mount command I get the following error:
    >
    >
    > mount -t nfs -o rw,hard,nolock,intr 192.168.0.18:/export /mnt/nfs
    >
    > mount: RPC: Unable to receive; errno = Connection refused
    > mount: nfsmount failed: Bad file descriptor
    > mount: Mounting 192.168.0.18:/exported on /mnt/nfs failed: Invalid argument
    >
    > Now , I had tried to change , in /etc/sysconfig/iptable, 2 lines:
    >
    > -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j ACCEPT
    > -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j ACCEPT
    >
    > as I see in /etc/services that the nfs port is 2049.
    >
    > I do get the same error.
    >
    >
    > what to do ?
    > Any idea?
    >
    > any help will be appreciated.
    >
    >
    > Q. John


  5. Re: iptables and nfs

    Op Mon, 10 May 2004 06:09:16 -0700, schreef john de volgende woorden:



    I've been bothering with NFS and iptables for the entire weekend. In the
    end I found:
    http://www.lowth.com/LinWiz/1.09/Ser...fw.pl/iptables

    And on that page, there is also this link:
    http://www.lowth.com/LinWiz/1.09/notes/nfs_help.php

    I hope it can help you as it helped me.

    Dirk
    --
    carpe noctem


  6. Re: iptables and nfs

    Hello,
    First thnxs you and everybody else that answered.

    second, I had added in iptabels the next 2 lines:

    #allow sunrpc
    -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 111 --syn -j ACCEPT
    -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 111 -j ACCEPT

    and restarted iptables; I tried the same mount command
    and it worked.

    Regarding the other answers:
    well , it does not seem to me that the switches of the mount command
    (for example,from "hard" to "soft") are relevant.
    The fact is that when stopping iptables, that mount command
    did worked ; when starting iptables , that mount command did not
    work.This shows probably that the problem was with blocking of a port.

    Thnks again,
    John









    alt_phil@yahoo.com (Phil) wrote in message news:<843bbf44.0405101313.438afc27@posting.google.com>...
    > The error says it all. RPC.
    >
    > Have to allow sunrpc (111) as well.
    >
    > qwejohn@hotmail.com (john) wrote in message news:<19778961.0405100509.fdbe55c@posting.google.com>...
    > > Hello,
    > >
    > > I tried to configure /etc/sysconfig/iptables to support nfs on a
    > > RH9 machine.
    > >
    > > When the iptables is down , I do succeed to mount nfs like that:
    > >
    > > mount -t nfs -o rw,hard,nolock,intr 192.168.0.18:/export /mnt/nfs
    > >
    > > But when I start iptales (service iptables start) , when
    > > I try to run this mount command I get the following error:
    > >
    > >
    > > mount -t nfs -o rw,hard,nolock,intr 192.168.0.18:/export /mnt/nfs
    > >
    > > mount: RPC: Unable to receive; errno = Connection refused
    > > mount: nfsmount failed: Bad file descriptor
    > > mount: Mounting 192.168.0.18:/exported on /mnt/nfs failed: Invalid argument
    > >
    > > Now , I had tried to change , in /etc/sysconfig/iptable, 2 lines:
    > >
    > > -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j ACCEPT
    > > -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j ACCEPT
    > >
    > > as I see in /etc/services that the nfs port is 2049.
    > >
    > > I do get the same error.
    > >
    > >
    > > what to do ?
    > > Any idea?
    > >
    > > any help will be appreciated.
    > >
    > >
    > > Q. John


  7. Re: iptables and nfs

    On 10 May 2004 22:33:41 -0700,
    qwejohn@hotmail.com (john) posted:

    > second, I had added in iptabels the next 2 lines:
    >
    > #allow sunrpc
    > -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 111 --syn -j ACCEPT
    > -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 111 -j ACCEPT
    >
    > and restarted iptables; I tried the same mount command
    > and it worked.


    You probably should fine tune that to only allow that in the
    network/addresses that you want to use it with, not with every network
    connection on your computer (including the WWW).

    > Regarding the other answers:
    > well , it does not seem to me that the switches of the mount command
    > (for example,from "hard" to "soft") are relevant.


    Not to that issue, but the advice still stands about it causing a system to
    hang if it can't connect to the resource (e.g. one computer goes down,
    reboots, etc., and it takes the other one out of action, too).

    --
    If you insist on e-mailing me, use the reply-to address (it's real but
    temporary). But please reply to the group, like you're supposed to.

    This message was sent without a virus, please delete some files yourself.

  8. Re: iptables and nfs

    On Mon, 10 May 2004 23:24:17 +0200, Dirk
    wrote:

    >Op Mon, 10 May 2004 06:09:16 -0700, schreef john de volgende woorden:
    >
    >
    >
    >I've been bothering with NFS and iptables for the entire weekend. In the
    >end I found:
    >http://www.lowth.com/LinWiz/1.09/Ser...fw.pl/iptables
    >
    >And on that page, there is also this link:
    >http://www.lowth.com/LinWiz/1.09/notes/nfs_help.php
    >
    >I hope it can help you as it helped me.
    >
    >Dirk



    This whole thing begs the question of why are you punching a hole in
    your firewall for a notoriously insecure protocol? You can use scp or
    sftp to copy file in a secure manner that requires real
    authentication. Or for that matter, you can tunnel NFS over a secure
    channel using ssh.

    -Chris

  9. Re: iptables and nfs

    On Thu, 13 May 2004 14:41:49 +0000, chri wrote:

    [skipperdeskip>

    > Or for that matter, you can tunnel NFS over a secure
    > channel using ssh.


    Also at boot time?

    Flip


    > -Chris



  10. Re: iptables and nfs

    On Fri, 14 May 2004 14:42:56 +0200, "flap flop" wrote:

    >On Thu, 13 May 2004 14:41:49 +0000, chri wrote:
    >
    >[skipperdeskip>
    >
    >> Or for that matter, you can tunnel NFS over a secure
    >> channel using ssh.

    >
    >Also at boot time?
    >
    >Flip
    >
    >
    >> -Chris



    I'm not of the best way to set this up. I have seen it working, just
    never setup a fulltime ssh tunnel between nix boxes. Try asking this
    question over on comp.security.ssh.

    There is also a tunneling daemon for linux. The name of the service
    eludes me at the moment, but I recall it being on the list of other
    netwrok services during install.

    -Chris


  11. Re: iptables and nfs

    On Sat, 15 May 2004 03:34:25 GMT, chris@nospam.com wrote:

    >There is also a tunneling daemon for linux. The name of the service
    >eludes me at the moment, but I recall it being on the list of other
    >netwrok services during install.
    >


    It's called stunnel. I've never used it for nfs mounts, but i'm sure
    somebody has tried/done it.


    Brad
    --
    "Laughter is good medicine and it has no bad side effects."
    Unknown
    Bradley W. Olin
    http://www.bwo1.com

  12. Re: iptables and nfs

    On Sat, 15 May 2004 13:56:58 GMT, Brad Olin wrote:

    >On Sat, 15 May 2004 03:34:25 GMT, chris@nospam.com wrote:
    >
    >>There is also a tunneling daemon for linux. The name of the service
    >>eludes me at the moment, but I recall it being on the list of other
    >>netwrok services during install.
    >>

    >
    >It's called stunnel. I've never used it for nfs mounts, but i'm sure
    >somebody has tried/done it.
    >
    >
    >Brad



    I went back and looked and the peer-to-peer tunnel was CIPE.

  13. Re: iptables and nfs

    On Sun, 16 May 2004 01:13:08 GMT, chris@nospam.com wrote:

    >On Sat, 15 May 2004 13:56:58 GMT, Brad Olin wrote:
    >
    >>On Sat, 15 May 2004 03:34:25 GMT, chris@nospam.com wrote:
    >>
    >>>There is also a tunneling daemon for linux. The name of the service
    >>>eludes me at the moment, but I recall it being on the list of other
    >>>netwrok services during install.
    >>>

    >>
    >>It's called stunnel. I've never used it for nfs mounts, but i'm sure
    >>somebody has tried/done it.
    >>
    >>

    >
    >I went back and looked and the peer-to-peer tunnel was CIPE.


    You could be right. I've never used CIPE, but I have stunnel. Yet
    another item just hit my reading list...


    Brad
    --
    "Laughter is good medicine and it has no bad side effects."
    Unknown
    Bradley W. Olin
    http://www.bwo1.com

+ Reply to Thread