nfs issue...

bruce bedouglas at earthlink.net
Fri Jul 2 03:50:43 UTC 2004 

pete...

thanks for the input... i have the following /etc/sysconfig/iptables file


# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
#       firewall; such entries will *not* be listed here.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 21 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j REJECT
COMMIT

but i'm leary of making changes to it directly, as some other app might
over-ride the changes... is there some way of me determining if there is
some app that i should be be modifying/looking for, which would create this
file...

thanks...

bruce


-----Original Message-----
From: Pete Nesbitt [mailto:pete at linux1.ca]
Sent: Thursday, July 01, 2004 8:05 PM
To: bedouglas at earthlink.net; General Red Hat Linux discussion list
Subject: Re: nfs issue...


On July 1, 2004 06:43 pm, bruce wrote:
> got it...
>
> it was the iptables....
>
> now... how/what do i have to do to the iptables app to get it to
> run/coexist with nfs...
>
> a former "linux" admin had set things up..and he's nowhere to be found!!!
>
> thanks..
>
> -bruce
>


IPtables is controlled by the script  /etc/init.d/iptables
The default setup is that the script uses the info in
/etc/sysconfig/iptables
to configure the rules. In many cases, /etc/init.d/iptables is replaced with
a all-in-one script or calls something that is more readable/editable.
The tool redhat-config-securitylevel writes to  /etc/sysconfig/iptables.

If you just want to get nfs thru the servers firewall, make a backup copy of
/etc/sysconfig/iptables file (if it exists), then either use this as the
file, of append the 2 lines with "--dport 2049":

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 2049 -j
ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

--
all I did was use the redhat-config-securitylevel tool to make a www (port
80)
hole, then edited the file to port 2049 plus duplicated for UDP (not sure if
it needs it).

This is not a very good way to build a firewall but it should poke nfs thru
the servers firewall, and if there are existing rules in place, you will
need
to combine the old and new rules. On the other hand, if you want to write
your own rules, there is lots of information on line (www.netfilter.org etc)
and lots of knowledgable people on this list to help.

--
Pete Nesbitt, rhce

More information about the redhat-list mailing list