nfs issue...

bruce bedouglas at earthlink.net
Fri Jul 2 19:18:01 UTC 2004 

pete....

ok.. it looks like i have it working for now...

but it appears that i'm going to have to make some changes to the
/etc/rc.d/init.d/nfs script. it appears that the associated processes for
nfs have ports that need to be accounted for in the iptables.

in particular the processes statd, mountd, quotad....

the iptables that i created for the nfs server is below...

i'm going to need to know how to modify the nfs script to lock the ports for
the processes down, as these processes apparently use random ports... but
i'm not sure how to make the changes to the nfs script...


currently used iptable for nfs server...
# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
#       firewall; such entries will *not* be listed here.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 23 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport
67:68 -i eth0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport
67:68 -i eth1 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
###
### nfs related stuff...
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 32768:32770 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 32768:32770 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 111 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 111 -j ACCEPT

-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j REJECT
COMMIT



i've seen the following docs:.
<<<<<<<<<<<<<<<<<<===========================>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
The other daemons, statd, mountd, lockd, and rquotad, will normally move
around to the first available port they are informed of by the portmapper.

To force statd to bind to a particular port, use the -p portnum option. To
force statd to respond on a particular port, additionally use the -o portnum
option when starting it.

(ok... but how do i find the process that starts the statd process. is this
the /etc/rc.d/init.d/nfs script?????? )

To force mountd to bind to a particular port use the -p portnum option.

For example, to have statd broadcast of port 32765 and listen on port 32766,
and mountd listen on port 32767, you would type:

# statd -p 32765 -o 32766
# mountd -p 32767


lockd is started by the kernel when it is needed. Therefore you need to pass
module options (if you have it built as a module) or kernel options to force
lockd to listen and respond only on certain ports.

If you are using loadable modules and you would like to specify these
options in your /etc/modules.conf file add a line like this to the file:

options lockd nlm_udpport=32768 nlm_tcpport=32768


The above line would specify the udp and tcp port for lockd to be 32768.

If you are not using loadable modules or if you have compiled lockd into the
kernel instead of building it as a module then you will need to pass it an
option on the kernel boot line.

It should look something like this:

 vmlinuz 3 root=/dev/hda1 lockd.udpport=32768 lockd.tcpport=32768


The port numbers do not have to match but it would simply add unnecessary
confusion if they didn't.
<<<<<<<<<<<<<<<<<<===========================>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

my copy of the /etc.../nfs script doesn't have "statd"... should i add it???
also, how do i know if i'm using "loadable modules", or if the kernel had
lockd compiled... and if i do need to pass the options in as boot
parameters, where/how would i do this... what file would i have to
edit...?????


-----Original Message-----
From: redhat-list-bounces at redhat.com
[mailto:redhat-list-bounces at redhat.com]On Behalf Of Pete Nesbitt
Sent: Friday, July 02, 2004 11:15 AM
To: bedouglas at earthlink.net; General Red Hat Linux discussion list
Subject: Re: nfs issue...


On July 2, 2004 09:51 am, bruce wrote:
> pete....
>
> arrgghhhh... something's going wrong again.......
>
> i rebooted the server.... and restarted nfs, and the required processes...
>
> without iptables running on the client/server.. i can connect from the
> client to the server.
>
> when i enable iptables on the server, the client no longer connects... i
> get:
>
> mount: RPC: Remote system error - Connection refused
>
> the iptables for the server is what we used last night...
>
> # Firewall configuration written by lokkit
> # Manual customization of this file is not recommended.
> # Note: ifup-post will punch the current nameservers through the
> #       firewall; such entries will *not* be listed here.
> *filter
>
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :RH-Lokkit-0-50-INPUT - [0:0]
>
> -A INPUT -j RH-Lokkit-0-50-INPUT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 23 --syn -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport
> 67:68 -i eth0 -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport
> 67:68 -i eth1 -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT
> -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j REJECT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j REJECT
> COMMIT
>


Bruce,
Is iptables stopped on the client?
Can you post the output of 'service iptables status' from the server?

On the client, with iptables stopped, it's "service iptables status" should
be
"Firewall is stopped."

--
Pete Nesbitt, rhce


--
redhat-list mailing list
unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

More information about the redhat-list mailing list