iptables & nfs

From: Geoff Dolman (geoffrey.dolman@cimr.cam.ac.uk)
Date: 12/13/01

From: Geoff Dolman <geoffrey.dolman@cimr.cam.ac.uk>
Date: Thu, 13 Dec 2001 09:54:00 +0000


I think this may be an faq, but please at least point me to a web site
that has the answer to this.

I am having trouble to getting iptables to work with nfs/nis using red
hat 7.1 or 7.2.
[Kernels 2.4.2-2, 2.4.7-10, 2.4.9-13 all seem to have the same issue]

I am trying to ypbind to a Solaris 2.6 NIS master and mount nfs exports
on said server. Obviously these things are started on boot. The problem
is that with iptables already started the machine hangs on boot when it
tries to mount the nfs filing systems.

The commands I have typed in to get the rules I want are:
iptables -P FORWARD DROP # I don't need or want forwarding/routing from
my clients
iptables -A INPUT -f -j ACCEPT # Allow fragments in an attempt to not
break nfs
iptables -A INPUT -s mysubnet/mysubnetmask -j ACCEPT # Allow anything
from my subnet
iptables -A INPUT -m state --state ESTABLISHED,RELATED # Allow sessions
I have started to continue
iptables -A INPUT -p icmp -j ACCEPT # Allow icmp.

iptables -P INPUT DROP # ditch anything else.

I have tried variations to these eg adding -i eth0, trying different
order etc but without improvement. As soon as the default for INPUT is
set to DROP two things change. One is that if I run /etc/init.d/ypbind
restart the shutdown and restart succeed, but the machine hangs while
listening for the nis server (the name of which is in
/etc/sysconfig/network ie it is not broadcasting for any nis server).
The other thing that happens as mentioned above is that having run
/etc/init.d/iptables save then reboot, the machine hangs when trying to
mount nfs.

The only way I can get the behaviour I want is to leave the policy for
INPUT as ACCEPT and instead of allowing things in, I block them eg

iptables !-s mynetwork/mysubnet -m state --state NEW,INVALID -j DROP

Admittedly this works, but on principle I'd rather allow in known
traffic and block everything else rather than allowing everything and
trying to quantify what qualifies as suspicious/unwanted.

Does anyone have a rule-set which fixes this?

Geoff Dolman
JDRF/WT Diabetes and Inflammation Laboratory
Cambridge Institute for Medical Research
University of Cambridge