Gentoo Forums :: View topic - [Solved] iptables blocking nfs

[Solved] iptables blocking nfs

View unanswered posts
View posts from last 24 hours

Gentoo Forums Forum Index

Networking & Security

View previous topic :: View next topic

Author

Message

rogge
Tux's lil' helper

Joined: 13 Oct 2006
Posts: 137
Location: Erfurt

Posted: Tue Sep 07, 2021 11:04 pm Post subject: [Solved] iptables blocking nfs

Hi,

while writing this post my problem is already solved, however not by any tutorial nor questioning site.
That's why I wanna tell here. The new server (with nfs) hasn't iptables yet, but the client have.

After setup and starting NFSv4 I failed on my own firewall. It was impossible to mount my remote
dirs. hosts.allow was correct, exportfs shows the expected results etc. But mount -v ... was giving me:

Code:

mount.nfs4: mount(2): Connection refused

With shutting down iptables everythings works fine. So the root cause was clear rapidly. At this time
my iptables shows like that:

Code:

Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT tcp -- anywhere anywhere tcp spt:http dpts:1024:65535 flags:!FIN,SYN,RST,ACK/SYN state RELATED,ESTABLISHED
2 ACCEPT tcp -- anywhere anywhere ctstate RELATED,ESTABLISHED tcp dpts:1024:65535 flags:!FIN,SYN,RST,ACK/SYN
3 DROP tcp -- anywhere anywhere ctstate INVALID
4 ACCEPT all -- anywhere anywhere
5 ACCEPT tcp -- router anywhere tcp spt:domain
6 ACCEPT udp -- router anywhere udp spt:domain
7 REJECT icmp -- anywhere anywhere icmp echo-reply reject-with icmp-port-unreachable
8 ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
9 ACCEPT icmp -- anywhere anywhere icmp source-quench
10 ACCEPT icmp -- anywhere anywhere icmp time-exceeded
11 ACCEPT icmp -- anywhere anywhere icmp parameter-problem
12 DROP udp -- anywhere anywhere udp dpt:netbios-ns
13 DROP udp -- anywhere anywhere udp dpt:netbios-dgm
14 DROP tcp -- anywhere anywhere tcp dpt:netbios-ssn
15 LOG all -- anywhere anywhere LOG level warning
16 REJECT tcp -- anywhere anywhere tcp dpt:auth flags:FIN,SYN,RST,ACK/SYN reject-with tcp-reset
17 DROP all -- anywhere anywhere
18 LOG tcp -- anywhere anywhere tcp dpt:http limit: avg 3/min burst 5 LOG level info prefix "Apache Access"
19 LOG tcp -- anywhere anywhere tcp dpt:http limit: avg 3/min burst 5 LOG level info prefix "Apache Access"
20 ACCEPT tcp -- 192.168.0.0/24 192.168.0.0/24 tcp dpt:nfs

Chain FORWARD (policy DROP)
num target prot opt source destination
1 ACCEPT tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
2 ACCEPT tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
3 ACCEPT icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5

Chain OUTPUT (policy DROP)
num target prot opt source destination
1 ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:http state NEW,RELATED,ESTABLISHED
2 ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535
3 ACCEPT all -- anywhere anywhere
4 ACCEPT udp -- anywhere anywhere udp spts:1024:65535 dpt:domain
5 ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:domain
6 ACCEPT icmp -- anywhere anywhere icmp echo-request
7 ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
8 LOG all -- anywhere anywhere LOG level warning
9 REJECT tcp -- anywhere anywhere reject-with tcp-reset
10 REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
11 DROP all -- anywhere anywhere
12 ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ftp
13 ACCEPT tcp -- 192.168.0.0/24 192.168.0.0/24 tcp dpt:nfs

Searching for troubles between NFS and iptables you'll find a lot of sites with more or less the same
problems. NFSv4 needs tcp port 2049 only, however rpcbind will be installed too and offer ports for NFSv2/3.

Iptables processes sequentially, starting at the top. Starting with iptables years ago my scripts had three
lines at the end (rejecting everything is what they do with anything not allowed earlier):

Code:

iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
iptables -A OUTPUT -j DROP

But over the years my script changed a bit, mainly security improvement and I didn't noticed that these
three lines belonging to the end due to the sequentially process of iptables. So I added the new lines
after this three lines mentioned above. At the end my new lines hasn't any effect, even when
iptables -L shows them. But if anything is rejected you can't bring new rules in effect by appending
them only.

Spoted and fixed that now my iptables looking like this (don't be affraid about some minor diffs (in style)):

Code:

Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:80 dpts:1024:65535 flags:!0x17/0x02 state RELATED,ESTABLISHED
2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED tcp dpts:1024:65535 flags:!0x17/0x02
3 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
5 ACCEPT tcp -- 192.168.0.1 0.0.0.0/0 tcp spt:53
6 ACCEPT udp -- 192.168.0.1 0.0.0.0/0 udp spt:53
11 REJECT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 0 reject-with icmp-port-unreachable
12 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 3
13 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 4
14 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 11
15 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 12
16 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137
17 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138
18 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
19 LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
20 REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 flags:0x17/0x02 reject-with tcp-reset
21 LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 limit: avg 3/min burst 5 LOG flags 0 level 6 prefix "Apache Access"
22 LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 limit: avg 3/min burst 5 LOG flags 0 level 6 prefix "Apache Access"
23 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:2049 state ESTABLISHED

Chain FORWARD (policy DROP)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 1/sec burst 5
2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 1/sec burst 5
3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec burst 5

Chain OUTPUT (policy DROP)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:80 state NEW,RELATED,ESTABLISHED
2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:53
5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:53
6 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
7 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 3
8 LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:21
10 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2049 state NEW,RELATED,ESTABLISHED
11 REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
12 REJECT udp -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

So it's not a special NFS problem at all, instead of 'pure' iptales problem. Hopefully this will help somebody.

Greetings, rogge

Display posts from previous:

	Gentoo Forums Forum Index Networking & Security	All times are GMT
Page 1 of 1

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy