Re: iptables & nfsFrom: Cedric Blancher (email@example.com)
- Next message: Luke Vogel: "Re: HTTP redirect using iptables"
- Previous message: Brad: "Re: Apache logs"
- In reply to: Geoff Dolman: "iptables & nfs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Cedric Blancher <firstname.lastname@example.org> Date: Thu, 13 Dec 2001 10:00:43 +0000 (UTC)
Dans sa prose, Geoff Dolman (email@example.com) nous ecrivait :
> I am having trouble to getting iptables to work with nfs/nis using red
> hat 7.1 or 7.2.
> [Kernels 2.4.2-2, 2.4.7-10, 2.4.9-13 all seem to have the same issue]
> I am trying to ypbind to a Solaris 2.6 NIS master and mount nfs exports
> on said server. Obviously these things are started on boot. The problem
> is that with iptables already started the machine hangs on boot when it
> tries to mount the nfs filing systems.
You can try record-rpc patch which is in iptables 1.2.4 patch-o-matic
which seems to work fine.
It brings record-rpc match that allows you to match packets that belongs
to a connection for which a GET has been issued to your portmapper
Author: "Marcelo Barbosa Lima" <firstname.lastname@example.org>
Status: This works now :-)
Status: Ported to 2.4.0-test9-pre2 by Rusty. May be broken.
Status: Fixed by Marc for 2.4.0.
This adds CONFIG_IP_NF_MATCH_RPC, which supplies two modules,
ip_conntrack_rpc_udp and ip_conntrack_rpc_tcp, which track portmapper
requests using UDP and TCP respectively. It also adds the record_rpc
match for iptables, which matches if the source of the packet has
requested that port through the portmapper before, or it is a new GET
request to the portmapper, allowing effective RPC filtering.
In order to add this feature to your box, you will have to patch kernel
sources and build modules, or build your kernel again if you decide to
core build this stuff.
-- SJ> Just do it. TM> Traduction ? Bouge toi le cul. -+- RMD in <http://neuneu.mine.nu> : Move your ass -+-