[ale] NFS and security (long)

Jeff Martin jeff at xipe.net
Sat Aug 14 22:51:12 EDT 1999 

Hello,

We have a Linux firewall (using IPmasq for the internal machines), and we
would like to use NFS to mount remote drives for streaming video.
The server is RedHat 6 | 2.2.5 kerneld using ipchains not ipfwadm.
This is the script in development for mounting these drives -- since we may
not want to mount them on boot, although if we did, I thought a command from
the rc.local would work well.

Please forgive my naiveté when it comes to NFS. I have never had the need to
use it :) Tell me what you think. I haven't set the portmap in hosts.access
yet the references I found were very cryptic as to what to do, and what to
add.

- Jeff

This is the ACCEPT we use for NFS in the ipchains (masquerade) script:

(I thought to snip this one down--it's a bit long. I can post the whole
thing if you would like)

# Local Interface
LOCALIF="eth0"
# Internal Interface
INTERNALNET="192.168.1.1/25"

# --------------------------- Variable definition -
#
# Set the location of ipchains.

IPCHAINS="/sbin/ipchains"

LOCALIP=`ifconfig $LOCALIF | grep inet | cut -d : -f 2 | cut -d \  -f 1`
LOCALMASK=`ifconfig $LOCALIF | grep Mask | cut -d : -f 4`
LOCALNET="$LOCALIP/$LOCALMASK"

echo "Internal: $INTERNALNET"
echo "External: $LOCALNET"

REMOTENET="0/0"

# ---------------------- Flush everything, start from scratch -

echo -n "Flushing rulesets.."

# Incoming packets from the outside network
$IPCHAINS -F input
echo -n "."

# Outgoing packets from the internal network
$IPCHAINS -F output
echo -n "."

# Forwarding/masquerading
$IPCHAINS -F forward
echo -n "."

echo "Done!"

# -------------- Allow all connections within the network -

echo -n "Internal.."

#$IPCHAINS -A input -s $INTERNALNET -d $INTERNALNET -j ACCEPT
#$IPCHAINS -A output -s $INTERNALNET -d $INTERNALNET -j ACCEPT
echo -n ".."

echo "Done!"

# ------------------------------- Allow loopback interface -

echo -n "Loopback.."

$IPCHAINS -A input -i lo -s 0/0 -d 0/0 -j ACCEPT
$IPCHAINS -A output -i lo -s 0/0 -d 0/0 -j ACCEPT
echo -n ".."

echo "Done!"

# ------------------------------------------ Masquerading -

echo -n "Masquerading.."

# don't masquerade internal-internal traffic
$IPCHAINS -A forward -s $INTERNALNET -d $INTERNALNET -j ACCEPT
echo -n "."

# don't Masquerade external interface direct
$IPCHAINS -A forward -s $LOCALNET -d $REMOTENET -j ACCEPT
echo -n "."

# masquerade all internal IP's going outside
$IPCHAINS -A forward -s $INTERNALNET -d $REMOTENET -j MASQ
echo -n "."

# set Default rule on MASQ chain to Deny
$IPCHAINS -P forward DENY
echo -n "."

# --------- Allow all connections from the network to the outside -

$IPCHAINS -A input -s $INTERNALNET -d $REMOTENET -j ACCEPT
$IPCHAINS -A output -s $INTERNALNET -d $REMOTENET -j ACCEPT
echo -n ".."

echo "Done!"
<snip>
# Network File System
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 2049 -j ACCEPT
$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 2049 -j ACCEPT
echo -n "."

<snip>
$IPCHAINS -A input -j DENY
$IPCHAINS -A output -j ACCEPT

echo ""
echo "Finished Establishing Firewall."



This is the script for the NFS:

#!/bin/sh
#
# NFS multiple mounting script v1.0
#
echo -n "Start mounting NFS.."
echo "..."
REMOTE1="localhost:/tmp"
REMOTE2="aaa.bbb.ccc.ddd:dir"
REMOTE3="aaa.bbb.ccc.ddd:dir"
REMOTE4="aaa.bbb.ccc.ddd:dir"
REMOTE5="aaa.bbb.ccc.ddd:dir"
REMOTE6="aaa.bbb.ccc.ddd:dir"
#
# Use the host:dir format that NFS likes
# ---------------------------------------- Location of mount points for
remotes -
# Where you want the NFS mount -
LOCAL1="/mnt/remote1"
LOCAL2="/mnt/remote2"
LOCAL3="/mnt/remote3"
LOCAL4="/mnt/remote4"
LOCAL5="/mnt/remote5"
LOCAL6="/mnt/remote6"
#------------------------------------------- PACKET SIZE (acording to the
kernel)-
PSIZE="1024"
# 1024 is the default size, unless otherwise set in the kerneld
# Change this to your determined size.
##########################################
# This mounts the network file system
echo " "
echo -n "1. "

mount -tnfs -o rsize=$PSIZE,wsize=$PSIZE $REMOTE1  $LOCAL1
echo  $REMOTE1" on" $LOCAL1 "Done!"
 echo -n "2. "

# mount -t nfs -o rsize=$PSIZE,wsize=$PSIZE $REMOTE2   $LOCAL3

 echo  $REMOTE2" on" $LOCAL2 "Done!"
 echo -n "3. "
# mount -t nfs -o rsize=$PSIZE,wsize=$PSIZE $REMOTE3  $LOCAL2


 echo  $REMOTE3" on" $LOCAL3 "Done!"
 echo -n "4. "
#
# mount -t nfs -o rsize=$PSIZE,wsize=$PSIZE $REMOTE4  $LOCAL4


 echo  $REMOTE4" on" $LOCAL4 "Done!"
 echo -n "5. "
# mount -t nfs -o rsize=$PSIZE,wsize=$PSIZE $REMOTE5  $LOCAL5

 echo  $REMOTE5" on" $LOCAL5 "Done!"
 echo -n "6. "

# mount -t nfs -o rsize=$PSIZE,wsize=$PSIZE $REMOTE6  $LOCAL6

 echo  $REMOTE6" on" $LOCAL6 "Done!"

More information about the Ale mailing list