Firewall & NFS - Security

This is a discussion on Firewall & NFS - Security ; Hi, I'm trying to setup host firewall (iptables) on two server on an internal subnet. One of those servers mounts a NFS share of the other. If I apply the rules when the servers have already booted (and mounted the ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Firewall & NFS

  1. Firewall & NFS

    Hi,
    I'm trying to setup host firewall (iptables) on two server on an internal
    subnet. One of those servers mounts a NFS share of the other. If I apply the
    rules when the servers have already booted (and mounted the NFS share)
    everything is ok. The problem is that if I reboot the "client" server (the
    server that mounts the share) it is unable to mount it again.

    Here are the NFS related rules I'm using.

    NFS Client:
    ------------

    # Localhost rules
    /sbin/iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -i lo -j ACCEPT
    /sbin/iptables -A OUTPUT -d 127.0.0.1 -s 127.0.0.1 -o lo -j ACCEPT

    # Portmapper
    /sbin/iptables -A INPUT -s 172.16.0.0/16 -p tcp --dport 111 -m state --state
    NEW,ESTABLISHED -j ACCEPT
    /sbin/iptables -A OUTPUT -p tcp --sport 111 -m state --state ESTABLISHED -j
    ACCEPT

    /sbin/iptables -A INPUT -s 172.16.0.0/16 -p udp --dport 111 -m state --state
    NEW,ESTABLISHED -j ACCEPT
    /sbin/iptables -A OUTPUT -p udp --sport 111 -m state --state ESTABLISHED -j
    ACCEPT

    # Statd
    /sbin/iptables -A INPUT -s 172.16.0.0/16 -p tcp --dport 32768 -m
    state --state NEW,ESTABLISHED -j ACCEPT
    /sbin/iptables -A OUTPUT -p tcp --sport 32768 -m state --state
    ESTABLISHED -j ACCEPT
    /sbin/iptables -A INPUT -s 172.16.0.0/16 -p udp --dport 32768 -m
    state --state NEW,ESTABLISHED -j ACCEPT
    /sbin/iptables -A OUTPUT -p udp --sport 32768 -m state --state
    ESTABLISHED -j ACCEPT
    /sbin/iptables -A INPUT -s 172.16.0.0/16 -p tcp --dport 32769 -m
    state --state NEW,ESTABLISHED -j ACCEPT
    /sbin/iptables -A OUTPUT -p tcp --sport 32769 -m state --state
    ESTABLISHED -j ACCEPT
    /sbin/iptables -A INPUT -s 172.16.0.0/16 -p udp --dport 32769 -m
    state --state NEW,ESTABLISHED -j ACCEPT
    /sbin/iptables -A OUTPUT -p udp --sport 32769 -m state --state
    ESTABLISHED -j ACCEPT

    # NFS
    /sbin/iptables -A OUTPUT -p tcp --dport 2049 -m state --state
    NEW,ESTABLISHED -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --sport 2049 -m state --state ESTABLISHED -j
    ACCEPT
    /sbin/iptables -A OUTPUT -p udp --dport 2049 -m state --state
    NEW,ESTABLISHED -j ACCEPT
    /sbin/iptables -A INPUT -p udp --sport 2049 -m state --state ESTABLISHED -j
    ACCEPT

    NFS Server:
    -------------
    # Localhost rules
    /sbin/iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -i lo -j ACCEPT
    /sbin/iptables -A OUTPUT -d 127.0.0.1 -s 127.0.0.1 -o lo -j ACCEPT

    # Statd
    /sbin/iptables -A INPUT -s 172.16.0.0/16 -p tcp --dport 32768 -m
    state --state NEW,ESTABLISHED -j ACCEPT
    /sbin/iptables -A OUTPUT -p tcp --sport 32768 -m state --state
    ESTABLISHED -j ACCEPT
    /sbin/iptables -A INPUT -s 172.16.0.0/16 -p udp --dport 32768 -m
    state --state NEW,ESTABLISHED -j ACCEPT
    /sbin/iptables -A OUTPUT -p udp --sport 32768 -m state --state
    ESTABLISHED -j ACCEPT

    # Portmapper
    /sbin/iptables -A INPUT -s 172.16.0.0/16 -p tcp --dport 111 -m state --state
    NEW,ESTABLISHED -j ACCEPT
    /sbin/iptables -A OUTPUT -p tcp --sport 111 -m state --state ESTABLISHED -j
    ACCEPT
    /sbin/iptables -A INPUT -s 172.16.0.0/16 -p udp --dport 111 -m state --state
    NEW,ESTABLISHED -j ACCEPT
    /sbin/iptables -A OUTPUT -p udp --sport 111 -m state --state ESTABLISHED -j
    ACCEPT

    # NFS
    /sbin/iptables -A INPUT -s 172.16.0.0/16 -p tcp --dport 2049 -m
    state --state NEW,ESTABLISHED -j ACCEPT
    /sbin/iptables -A OUTPUT -p tcp --sport 2049 -m state --state ESTABLISHED -j
    ACCEPT
    /sbin/iptables -A INPUT -s 172.16.0.0/16 -p udp --dport 2049 -m
    state --state NEW,ESTABLISHED -j ACCEPT
    /sbin/iptables -A OUTPUT -p udp --sport 2049 -m state --state ESTABLISHED -j
    ACCEPT

    # rquotad
    /sbin/iptables -A INPUT -s 172.16.0.0/16 -p udp --dport 1016 -m
    state --state NEW,ESTABLISHED -j ACCEPT
    /sbin/iptables -A OUTPUT -p udp --sport 1016 -m state --state ESTABLISHED -j
    ACCEPT

    # rpc.mountd
    /sbin/iptables -A INPUT -s 172.16.0.0/16 -p tcp --dport 1015 -m
    state --state NEW,ESTABLISHED -j ACCEPT
    /sbin/iptables -A OUTPUT -p tcp --sport 1015 -m state --state ESTABLISHED -j
    ACCEPT
    /sbin/iptables -A INPUT -s 172.16.0.0/16 -p udp --dport 1015 -m
    state --state NEW,ESTABLISHED -j ACCEPT
    /sbin/iptables -A OUTPUT -p udp --sport 1015 -m state --state ESTABLISHED -j
    ACCEPT

    Any suggestions will be appreciated.
    Sincerely,

    --
    chabral



  2. Re: Firewall & NFS

    chabral wrote:
    > Hi,
    > I'm trying to setup host firewall (iptables) on two server on an internal
    > subnet. One of those servers mounts a NFS share of the other. If I apply the
    > rules when the servers have already booted (and mounted the NFS share)
    > everything is ok. The problem is that if I reboot the "client" server (the
    > server that mounts the share) it is unable to mount it again.
    >
    > Here are the NFS related rules I'm using....
    >


    Some NFS-associated ports are dynamic, so the ports you specified
    probably aren't valid. Typically outbound traffic on a connection
    allows the inbound traffic to return through netfilter. Netfilter makes
    up a state at startup, allowing your "established" connections to
    continue. (At least I suspect that's what's happening.)

    portmap port is always 111

    nfsd port is always 2049

    lockd port can be defined in /etc/modprobe.conf

    mountd and statd ports can be defined as startup options (how you define
    them varies with distro; RH and FC use /etc/sysconfig/nfs)

    rquotad port can't be defined (last I checked, but you don't need it
    unless you're using quotas)

    See man pages and assorted, existing howtos for more info.

  3. Re: Firewall & NFS

    chabral wrote:
    > Hi,
    > I'm trying to setup host firewall (iptables) on two server on an internal
    > subnet. One of those servers mounts a NFS share of the other. If I apply the
    > rules when the servers have already booted (and mounted the NFS share)
    > everything is ok. The problem is that if I reboot the "client" server (the
    > server that mounts the share) it is unable to mount it again.
    >
    > Here are the NFS related rules I'm using.
    >
    > NFS Client:
    > ------------
    >
    > # Localhost rules
    > /sbin/iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -i lo -j ACCEPT
    > /sbin/iptables -A OUTPUT -d 127.0.0.1 -s 127.0.0.1 -o lo -j ACCEPT
    >
    > # Portmapper
    > /sbin/iptables -A INPUT -s 172.16.0.0/16 -p tcp --dport 111 -m state --state
    > NEW,ESTABLISHED -j ACCEPT
    > /sbin/iptables -A OUTPUT -p tcp --sport 111 -m state --state ESTABLISHED -j
    > ACCEPT
    >
    > /sbin/iptables -A INPUT -s 172.16.0.0/16 -p udp --dport 111 -m state --state
    > NEW,ESTABLISHED -j ACCEPT
    > /sbin/iptables -A OUTPUT -p udp --sport 111 -m state --state ESTABLISHED -j
    > ACCEPT
    >
    > # Statd
    > /sbin/iptables -A INPUT -s 172.16.0.0/16 -p tcp --dport 32768 -m
    > state --state NEW,ESTABLISHED -j ACCEPT
    > /sbin/iptables -A OUTPUT -p tcp --sport 32768 -m state --state
    > ESTABLISHED -j ACCEPT
    > /sbin/iptables -A INPUT -s 172.16.0.0/16 -p udp --dport 32768 -m
    > state --state NEW,ESTABLISHED -j ACCEPT
    > /sbin/iptables -A OUTPUT -p udp --sport 32768 -m state --state
    > ESTABLISHED -j ACCEPT
    > /sbin/iptables -A INPUT -s 172.16.0.0/16 -p tcp --dport 32769 -m
    > state --state NEW,ESTABLISHED -j ACCEPT
    > /sbin/iptables -A OUTPUT -p tcp --sport 32769 -m state --state
    > ESTABLISHED -j ACCEPT
    > /sbin/iptables -A INPUT -s 172.16.0.0/16 -p udp --dport 32769 -m
    > state --state NEW,ESTABLISHED -j ACCEPT
    > /sbin/iptables -A OUTPUT -p udp --sport 32769 -m state --state
    > ESTABLISHED -j ACCEPT
    >
    > # NFS
    > /sbin/iptables -A OUTPUT -p tcp --dport 2049 -m state --state
    > NEW,ESTABLISHED -j ACCEPT
    > /sbin/iptables -A INPUT -p tcp --sport 2049 -m state --state ESTABLISHED -j
    > ACCEPT
    > /sbin/iptables -A OUTPUT -p udp --dport 2049 -m state --state
    > NEW,ESTABLISHED -j ACCEPT
    > /sbin/iptables -A INPUT -p udp --sport 2049 -m state --state ESTABLISHED -j
    > ACCEPT
    >
    > NFS Server:
    > -------------
    > # Localhost rules
    > /sbin/iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -i lo -j ACCEPT
    > /sbin/iptables -A OUTPUT -d 127.0.0.1 -s 127.0.0.1 -o lo -j ACCEPT
    >
    > # Statd
    > /sbin/iptables -A INPUT -s 172.16.0.0/16 -p tcp --dport 32768 -m
    > state --state NEW,ESTABLISHED -j ACCEPT
    > /sbin/iptables -A OUTPUT -p tcp --sport 32768 -m state --state
    > ESTABLISHED -j ACCEPT
    > /sbin/iptables -A INPUT -s 172.16.0.0/16 -p udp --dport 32768 -m
    > state --state NEW,ESTABLISHED -j ACCEPT
    > /sbin/iptables -A OUTPUT -p udp --sport 32768 -m state --state
    > ESTABLISHED -j ACCEPT
    >
    > # Portmapper
    > /sbin/iptables -A INPUT -s 172.16.0.0/16 -p tcp --dport 111 -m state --state
    > NEW,ESTABLISHED -j ACCEPT
    > /sbin/iptables -A OUTPUT -p tcp --sport 111 -m state --state ESTABLISHED -j
    > ACCEPT
    > /sbin/iptables -A INPUT -s 172.16.0.0/16 -p udp --dport 111 -m state --state
    > NEW,ESTABLISHED -j ACCEPT
    > /sbin/iptables -A OUTPUT -p udp --sport 111 -m state --state ESTABLISHED -j
    > ACCEPT
    >
    > # NFS
    > /sbin/iptables -A INPUT -s 172.16.0.0/16 -p tcp --dport 2049 -m
    > state --state NEW,ESTABLISHED -j ACCEPT
    > /sbin/iptables -A OUTPUT -p tcp --sport 2049 -m state --state ESTABLISHED -j
    > ACCEPT
    > /sbin/iptables -A INPUT -s 172.16.0.0/16 -p udp --dport 2049 -m
    > state --state NEW,ESTABLISHED -j ACCEPT
    > /sbin/iptables -A OUTPUT -p udp --sport 2049 -m state --state ESTABLISHED -j
    > ACCEPT
    >
    > # rquotad
    > /sbin/iptables -A INPUT -s 172.16.0.0/16 -p udp --dport 1016 -m
    > state --state NEW,ESTABLISHED -j ACCEPT
    > /sbin/iptables -A OUTPUT -p udp --sport 1016 -m state --state ESTABLISHED -j
    > ACCEPT
    >
    > # rpc.mountd
    > /sbin/iptables -A INPUT -s 172.16.0.0/16 -p tcp --dport 1015 -m
    > state --state NEW,ESTABLISHED -j ACCEPT
    > /sbin/iptables -A OUTPUT -p tcp --sport 1015 -m state --state ESTABLISHED -j
    > ACCEPT
    > /sbin/iptables -A INPUT -s 172.16.0.0/16 -p udp --dport 1015 -m
    > state --state NEW,ESTABLISHED -j ACCEPT
    > /sbin/iptables -A OUTPUT -p udp --sport 1015 -m state --state ESTABLISHED -j
    > ACCEPT
    >
    > Any suggestions will be appreciated.
    > Sincerely,
    >
    > --
    > chabral
    >
    >


    1) you can choose which protocol is used with nfs, so you don't need to
    open both protocols for that traffic.

    2) Allen is absolutely right, the ports are dynamic, like passive ftp.

    3) you should use interface settings instead of ip addresses.

    4) open the server port and allow established (related) traffic from one
    to the other.

    server 1
    iptables -A INPUT -i -s -d -p
    --dport 111 -m state --state NEW,ESTABLISHED
    iptables -A OUTPUT -o -d -s -p
    -m state --state RELATED,ESTABLISHED

    server 2
    iptables -A INPUT -i -s -d -p
    --dport 111 -m state --state NEW,ESTABLISHED
    iptables -A OUTPUT -o -d -s -p
    -m state --state RELATED,ESTABLISHED

    greetz,
    Eric

  4. Re: Firewall & NFS

    Allen Kistler wrote:
    > chabral wrote:
    >
    >>Hi,
    >> I'm trying to setup host firewall (iptables) on two server on an internal
    >>subnet. One of those servers mounts a NFS share of the other. If I apply the
    >>rules when the servers have already booted (and mounted the NFS share)
    >>everything is ok. The problem is that if I reboot the "client" server (the
    >>server that mounts the share) it is unable to mount it again.
    >>
    >>Here are the NFS related rules I'm using....
    >>

    >
    >
    > Some NFS-associated ports are dynamic, so the ports you specified
    > probably aren't valid. Typically outbound traffic on a connection
    > allows the inbound traffic to return through netfilter. Netfilter makes
    > up a state at startup, allowing your "established" connections to
    > continue. (At least I suspect that's what's happening.)
    >
    > portmap port is always 111
    >
    > nfsd port is always 2049
    >
    > lockd port can be defined in /etc/modprobe.conf
    >
    > mountd and statd ports can be defined as startup options (how you define
    > them varies with distro; RH and FC use /etc/sysconfig/nfs)
    >
    > rquotad port can't be defined (last I checked, but you don't need it
    > unless you're using quotas)
    >
    > See man pages and assorted, existing howtos for more info.


    1) you can choose which protocol is used with nfs, so you don't need to
    open both protocols for that particular traffic.

    2) Allen is absolutely right, the ports can be dynamic, like passive ftp.

    3) you should use interface settings instead of ip addresses or use both.

    4) open the server port and allow established (related) traffic from one
    to the other.

    As far as i know, these rules should do it.

    server 1
    iptables -A INPUT -i -s -d -p
    --dport 111 -m state --state NEW,ESTABLISHED
    iptables -A OUTPUT -o -d -s -p
    -m state --state RELATED,ESTABLISHED

    server 2
    iptables -A INPUT -i -s -d -p
    --dport 111 -m state --state NEW,ESTABLISHED
    iptables -A OUTPUT -o -d -s -p
    -m state --state RELATED,ESTABLISHED

    greetz,
    Eric

+ Reply to Thread