Re: iptables & nfs

From: Cedric Blancher (blancher@cartel-info.fr)
Date: 12/13/01


From: Cedric Blancher <blancher@cartel-info.fr>
Date: Thu, 13 Dec 2001 10:00:43 +0000 (UTC)

Dans sa prose, Geoff Dolman (geoffrey.dolman@cimr.cam.ac.uk) nous ecrivait :
> I am having trouble to getting iptables to work with nfs/nis using red
> hat 7.1 or 7.2.
> [Kernels 2.4.2-2, 2.4.7-10, 2.4.9-13 all seem to have the same issue]
> I am trying to ypbind to a Solaris 2.6 NIS master and mount nfs exports
> on said server. Obviously these things are started on boot. The problem
> is that with iptables already started the machine hangs on boot when it
> tries to mount the nfs filing systems.

You can try record-rpc patch which is in iptables 1.2.4 patch-o-matic
which seems to work fine.
It brings record-rpc match that allows you to match packets that belongs
to a connection for which a GET has been issued to your portmapper
before :

Author: "Marcelo Barbosa Lima" <marcelo.lima@dcc.unicamp.br>
Status: This works now :-)
Status: Ported to 2.4.0-test9-pre2 by Rusty. May be broken.
Status: Fixed by Marc for 2.4.0.

This adds CONFIG_IP_NF_MATCH_RPC, which supplies two modules,
ip_conntrack_rpc_udp and ip_conntrack_rpc_tcp, which track portmapper
requests using UDP and TCP respectively. It also adds the record_rpc
match for iptables, which matches if the source of the packet has
requested that port through the portmapper before, or it is a new GET
request to the portmapper, allowing effective RPC filtering.

In order to add this feature to your box, you will have to patch kernel
sources and build modules, or build your kernel again if you decide to
core build this stuff.

-- 
 SJ> Just do it.
 TM> Traduction ?
 Bouge toi le cul.
 -+- RMD in <http://neuneu.mine.nu> : Move your ass -+-



Relevant Pages

  • Re: Dropping 113 auth ident tap packets
    ... It can only be accessed by browser which really sucks ... One of the ugly things about hardware router/firewall is that it ... isn't near as versatile as iptables. ... I could aim the 113 AUTH requests at an internal ...
    (comp.os.linux.security)
  • Re: Dropping 113 auth ident tap packets
    ... > NETGEAR FR314, for those 113 requests, and having the receiving ... > machine send the TCP RST. ... > situations with iptables but I'm afraid sending a TCP RST in reply to ... > certain time frame they would'nt query me again. ...
    (comp.os.linux.security)
  • Re: Checking FC2 Iptables firewall config for PPPoE-enabled Gateway
    ... adequate for your LAN I'm sure. ... iptables -P FORWARD DROP ... I completed setting up an FC2-enabled server as a home gateway. ... > requests were possible using domain names. ...
    (comp.os.linux.security)
  • Simple Iptables (was Re: firestarter start failure?)
    ... why Samba is not working; it's only after you turn on the ... I bit the bullet and read a bit about iptables. ... requests and allow outgoing, loopback and connections that I instigate. ... For logging you can add at the bottom of the script: ...
    (Ubuntu)
  • Re: Has anyone seen this before?
    ... Tarpits Info: http://www.hackbusters.net/LaBrea/ ... leon wrote: ... > of IP's which appear to be performing legitimate requests to port 80 ...
    (Security-Basics)