NIS/NFS & iptables - Security

This is a discussion on NIS/NFS & iptables - Security ; I have been working on securing my servers using iptables. At this point, I have made it past most of my roadblocks. I'm now experiencing issues with NIS/NFS as I am unable to determine the exact ports to open up. ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: NIS/NFS & iptables

  1. NIS/NFS & iptables

    I have been working on securing my servers using iptables. At this
    point, I have made it past most of my roadblocks. I'm now experiencing
    issues with NIS/NFS as I am unable to determine the exact ports to open
    up. I'm hoping someone has some experience with this and can help me
    out.

    Here is a description of the network I'm dealing with:

    I have 1 server acting as the the NIS/NFS server. There are 2 servers
    connecting to it. All of these connections are taking place on the
    eth1 interface which is used for the internal network. eth0 is
    connected directly to the internet. What ports need to be opened on
    the NIS/NFS server and what ports need to be opened on the client
    servers?


    Thanks,
    Jason


  2. Re: NIS/NFS & iptables

    On Fri, 02 Dec 2005 22:22:27 -0800, Jason Williard wrote:

    > I have been working on securing my servers using iptables. At this
    > point, I have made it past most of my roadblocks. I'm now experiencing
    > issues with NIS/NFS as I am unable to determine the exact ports to open
    > up.


    You 'd need to configure NIS to bind to ports statically:
    http://www.redhat.com/docs/manuals/l...erver-nis.html

    The port for NFS is 2049 (also start "mountd" and "statd" with '-p #')

    > I'm hoping someone has some experience with this and can help me
    > out.


    Other then the above you need to allow the RPC portmapper (port 111.)
    For NFS read the manpages of: portmap nfsd mountd statd and maybe rquotad

    Much much easier to just use libwrap (tcpwrappers) though.

    --
    -Menno.


  3. Re: NIS/NFS & iptables

    Jason Williard wrote:
    > I have been working on securing my servers using iptables. At this
    > point, I have made it past most of my roadblocks. I'm now experiencing
    > issues with NIS/NFS as I am unable to determine the exact ports to open
    > up. I'm hoping someone has some experience with this and can help me
    > out.
    >
    > Here is a description of the network I'm dealing with:
    >
    > I have 1 server acting as the the NIS/NFS server. There are 2 servers
    > connecting to it. All of these connections are taking place on the
    > eth1 interface which is used for the internal network. eth0 is
    > connected directly to the internet. What ports need to be opened on
    > the NIS/NFS server and what ports need to be opened on the client
    > servers?
    >
    >


    I wanted to do something similar (I wanted to block traffic, rather than
    allow it), part of my script is below, the host in question was
    10.0.0.2, the bits below do an rpc query on the hosts, discovering the
    ports in use, and block them, you could just change the block to an accept.

    Bear in mind that you might need to rerun these should your systems
    reboot, if you have a firewall script, you can cron this, by making a
    custom chain, and delete/recreate the chain every hour. I just know to
    rerun the firewall script when we have downtime on the server.

    Found this little nugget on google:


    RPC_TCP=`rpcinfo -p 10.0.0.2 | perl -n -e '/.*tcp\s+(\d+)\s+/ && print
    $1,"\n"'|sort -u`
    for port in $RPC_TCP; do
    iptables -A FORWARD -d 10.0.0.2 -p tcp --dport $port -j DROP
    done

    RPC_UDP=`rpcinfo -p 10.0.0.2 | perl -n -e '/.*udp\s+(\d+)\s+/ && print
    $1,"\n"'|sort -u`
    for port in $RPC_UDP; do
    iptables -A FORWARD -d 10.0.0.2 -p udp --dport $port -j DROP
    done

+ Reply to Thread