[ale] NFS and ipchains

Transam transam at cavu.com
Thu Jan 24 20:18:40 EST 2002 

> OK, I guess I need to learn ipchains instead of floundering around
> everytime I need to mess with it but, in the mean time ;-), I sure could
> use some suggestions on getting the right rules in
> /etc/sysconfig/ipchains (Red Hat 7.1) to allow an NFS mount.

> Ideally, I want to allow only the specific client (192.168.1.13) to
> mount a f/s from the server (192.168.1.12).  The rules I was playing
> with below, I was first just trying to limit it to a given network.

You don't say which system is using IP Chains.  NFS is UDP 2049.
Portmap is UDP 111 and TCP 111 so allow to these destination ports on
the server.  Thus on the server (having a single eth0 IF):

/sbin/ipchains -A input  -i eth0 -p UDP -s 192.168.1.13         --dport 2049 -j ACCEPT
/sbin/ipchains -A input  -i eth0 -p UDP -s 192.168.1.13         --dport  111 -j ACCEPT
/sbin/ipchains -A input  -i eth0 -p TCP -s 192.168.1.13         --dport  111 -j ACCEPT
/sbin/ipchains -A output -i eth0 -p UDP -d 192.168.1.13         --sport 2049 -j ACCEPT
/sbin/ipchains -A output -i eth0 -p UDP -d 192.168.1.13         --sport  111 -j ACCEPT
/sbin/ipchains -A output -i eth0 -p UDP -d 192.168.1.13 ! --syn --sport  111 -j ACCEPT

Perhaps it's automount that has an additional port.  I don't recall at this
point.

To debug, do

     tail -f /var/log/messages

and try it and note what is blocked.  Note errors, especially the (#number)
part of the log message and whether it is on "input", "output", or "forward".
Then do

     ipchains -L -n -v --line-numbers > foo
     editor foo

Search for a line beginning with "number" in the appropriate input, output,
or forward list and that is the rule that blocked the packet.


NOTE: Be doubleplus real damn sure that your firewall blocks these ports
from the interface connected to the Internet or crackers will kill you by
next week.  You'be been warned.

Bob Toxen
transam at cavu.com                       [Bob's ALE Bulk email]
bob at cavu.com                           [Please use for email to me]
http://www.cavu.com                    [Network&Linux/Unix security consulting]
http://www.realworldlinuxsecurity.com/ [My 5* book:"Real World Linux Security"]
http://www.cavu.com/sunset.html        [Sunset Computer]
Fly-By-Day Consulting, Inc.      "Don't go with a fly-by-night outfit!"
Quality Linux & UNIX security and SysAdmin & software consulting since 1990.

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.

More information about the Ale mailing list