nfs issue...

bruce bedouglas at earthlink.net
Fri Jul 2 16:51:12 UTC 2004 

pete....

arrgghhhh... something's going wrong again.......

i rebooted the server.... and restarted nfs, and the required processes...

without iptables running on the client/server.. i can connect from the
client to the server.

when i enable iptables on the server, the client no longer connects... i
get:

mount: RPC: Remote system error - Connection refused

the iptables for the server is what we used last night...

# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
#       firewall; such entries will *not* be listed here.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 23 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport
67:68 -i eth0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport
67:68 -i eth1 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j REJECT
COMMIT



-----Original Message-----
From: Pete Nesbitt [mailto:pete at linux1.ca]
Sent: Thursday, July 01, 2004 11:01 PM
To: bedouglas at earthlink.net
Subject: Re: nfs issue...


On July 1, 2004 10:38 pm, you wrote:
> we have success!!!!!!!!
>
> or at least i now have something in iptables running as both
> client/server..and i have an nfs server running....


I'm glad it's working!
But I would be curuious to know what you ended up with.


>
> yeah.. i know... i'm going to have to have someone that knows the linux
> security issues onboard with this...
>
> thanks for your time/assistance... i'm calling it a night for this issue
> for now...
>
> -bruce
>
> ps.. if you're curious, i'm part of a small team, and we're putting
> together a startup... right now we're starting to create a focused crawler
> to parse university/college sites... so we're going to have a "master" app
> that communicates with the clients... on different machines, dealing with
> data on a test/shared drive...
>
> oh.. just thought of another issue... in setting up a mysql server, to be
> used by remote clients, we're going to go through this again, aren't
> we..????
>
> arrgghh!!!
>


Yup, lots of fun:)
you may want to run a 2 or 3 node linux box for a frontend firewall to
direct
traffic at the edge of your network protecting mysql and others which could
have their own local firewalls as well.

--
Pete Nesbitt, rhce

More information about the redhat-list mailing list