iptables & nfs

From: Geoff Dolman (geoffrey.dolman@cimr.cam.ac.uk)
Date: 12/13/01


From: Geoff Dolman <geoffrey.dolman@cimr.cam.ac.uk>
Date: Thu, 13 Dec 2001 09:54:00 +0000

Hi

I think this may be an faq, but please at least point me to a web site
that has the answer to this.

I am having trouble to getting iptables to work with nfs/nis using red
hat 7.1 or 7.2.
[Kernels 2.4.2-2, 2.4.7-10, 2.4.9-13 all seem to have the same issue]

I am trying to ypbind to a Solaris 2.6 NIS master and mount nfs exports
on said server. Obviously these things are started on boot. The problem
is that with iptables already started the machine hangs on boot when it
tries to mount the nfs filing systems.

The commands I have typed in to get the rules I want are:
iptables -P FORWARD DROP # I don't need or want forwarding/routing from
my clients
iptables -A INPUT -f -j ACCEPT # Allow fragments in an attempt to not
break nfs
iptables -A INPUT -s mysubnet/mysubnetmask -j ACCEPT # Allow anything
from my subnet
iptables -A INPUT -m state --state ESTABLISHED,RELATED # Allow sessions
I have started to continue
iptables -A INPUT -p icmp -j ACCEPT # Allow icmp.

iptables -P INPUT DROP # ditch anything else.

I have tried variations to these eg adding -i eth0, trying different
order etc but without improvement. As soon as the default for INPUT is
set to DROP two things change. One is that if I run /etc/init.d/ypbind
restart the shutdown and restart succeed, but the machine hangs while
listening for the nis server (the name of which is in
/etc/sysconfig/network ie it is not broadcasting for any nis server).
The other thing that happens as mentioned above is that having run
/etc/init.d/iptables save then reboot, the machine hangs when trying to
mount nfs.

The only way I can get the behaviour I want is to leave the policy for
INPUT as ACCEPT and instead of allowing things in, I block them eg

iptables !-s mynetwork/mysubnet -m state --state NEW,INVALID -j DROP

Admittedly this works, but on principle I'd rather allow in known
traffic and block everything else rather than allowing everything and
trying to quantify what qualifies as suspicious/unwanted.

Does anyone have a rule-set which fixes this?

-- 
Geoff Dolman
JDRF/WT Diabetes and Inflammation Laboratory
Cambridge Institute for Medical Research
University of Cambridge
http://www-gene.cimr.cam.ac.uk/todd/



Relevant Pages

  • Re: NIS yppasswd command and iptables?? RPC: unable to receive
    ... Prg do you ... Say eth0 and eth1 are the adapters would it be possible to ... >> I was wondering how to set up the iptables on an NIS server so the ... >> iptables on I can invoke the yppasswd command and enter the passsword ...
    (comp.os.linux.networking)
  • Re: NIS yppasswd command and iptables?? RPC: unable to receive
    ... > I was wondering how to set up the iptables on an NIS server so the ... > iptables on I can invoke the yppasswd command and enter the passsword ... > information but i get a RPC: ...
    (comp.os.linux.networking)
  • Re: NIS client couldnt log in
    ... I'm using RH9 to connect to an existing NIS server I had ... problems connecting to the server when RH's firewall (iptables) was ... Try turning that off. ... I can see the newly added user accounts. ...
    (RedHat)
  • Re: Problem with NIS
    ... interfere with our NIS server. ... (I can't seem to find what port NIS ... Maybe try disabling iptables and see if NIS starts up okay then... ... NIS clients do not bind to the NIS server when the system boots. ...
    (RedHat)