can't get past iptables with NFS
-A INPUT -p tcp –dport 111 -j ACCEPT
-A INPUT -p udp --dport 111 -j ACCEPT
-A INPUT -p tcp --dport 2049 -j ACCEPT
-A INPUT -p udp --dport 2049 -j ACCEPT
My understanding is this should open the ports to my client machine, but it's not happening. If I comment out the last deny rule below I have no problem mounting from the client:
-A INPUT -j REJECT
With the above uncommented in the server iptable, I'm blocked. Obviously my 'accept' rules are incorrect. Any suggestions would be greatly appreciated.
Thanks,
4 Replies
REJECT first then ACCEPT and see if that works.
Thanks.
@cap:
I checked the daemon log and it appears that when the client mount was working, the port that was used was essentially random. Reading elsewhere, this appears to be common with NFS and consequently a problem connecting through iptables. Even locking the port in the nfs-kernel-server configuration didn't help. So I changed the iptables port to a wide range and set the connection to just my client's private ip, and it works now.
Thanks.
Yes. This is the function of the RPC mechanism. Lock down the RPC server to just the source IPs that you need – RPC is a favorite target.
I was able to get all of NFS's daemons to lodge to one port using configuration options in /etc/defaults (Ubuntu), but not for NFSv4 -- just NFSv3.
@cap:
So I changed the iptables port to a wide range and set the connection to just my client's private ip, and it works now.
Another option (if you're essentially locking things down to a specific client) is to set up a VPN, such as OpenVPN, from the client, and then let any VPN tunnel traffic through in general on the server side.
That way, you have a single client-side step of establishing the VPN, and after that you have full access to your server without requiring any further fiddling with any filters.
– David