Hello everyone, I am setting up a new system for use as a testing/demo/trial-and-error system. I have installed CentOS 4.4 on it. There is not an X-environment, so I will need to fix this from the command line (via ssh access). I am trying to do an nfs export from this box to another on my internal home network. I have figured out that it is a firewall issue on the CentOS box (I turn off the CentOS firewall and the mount works). My problem is that I am not sure how to resolve this. I have not done any configuration with iptables before. In the file /etc/sysconfig/iptables are the lines: -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 2049 -j ACCEPT and there are not any deny lines above these. I think those lines were added when I ran system-config-securitylevel-tui. Those are the only lines that I can find that mention port 2049 or nfs. Those lines look to me like they are for accepting incoming connections only. Is that correct? What do I need to do so that I can do the nfs export out of this box? -- Doug Registered Linux User #285548 (http://counter.li.org) ---------------------------------------- Random Thought: no maintenance: Impossible to fix.
> My problem is that I am not sure how to resolve this. I have not done > any configuration with iptables before. In the > file /etc/sysconfig/iptables are the lines: > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 > -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 2049 > -j ACCEPT > > and there are not any deny lines above these. I think those lines were > added when I ran system-config-securitylevel-tui. Those are the only > lines that I can find that mention port 2049 or nfs. > > Those lines look to me like they are for accepting incoming connections > only. Is that correct? > > What do I need to do so that I can do the nfs export out of this box?These lines accept NEW connections. If the connection lags/times out but does not start again as 'new', it may be blocked. You should consider just allowing 2049 from a particular subnet, without other constraints on the packets. NFS is also a bit like ftp, and likes to play with random ports, which tend to make firewalls angry. You'll want something in /etc/sysconfig/nfs like the following: STATD_PORT=4000 STATD_OUTGOING_PORT=4004 LOCKD_TCPPORT=4001 LOCKD_UDPPORT=4001 MOUNTD_PORT=4002 Obviously you'll need to salt this to taste, and ensure that ports 4000:4004 are open (in this example) as well in your firewall. -- During times of universal deceit, telling the truth becomes a revolutionary act. George Orwell
On Sat September 30 2006 19:57, Ski Dawg wrote:> My problem is that I am not sure how to resolve this. I have not done > any configuration with iptables before. In the > file /etc/sysconfig/iptables are the lines: > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 > -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 2049 > -j ACCEPTFirst off we would need to know what is in your /etc/sysconfig/iptables file. There could be many things that are killing this. Since it looks like you are doing statefull inspection I would assume that there is a statement for ESTABLISHED,RELATED in there also. What are the default policies? Are you logging your firewall drop/rejects? Check message file to see if there are any clues in there. We need to know how it is setup completely so one command isn't killing another.> and there are not any deny lines above these. I think those lines were > added when I ran system-config-securitylevel-tui. Those are the only > lines that I can find that mention port 2049 or nfs.Normally you would want your Deny lines towards the bottom on your chains if you have any.> Those lines look to me like they are for accepting incoming connections > only. Is that correct?Yep.> What do I need to do so that I can do the nfs export out of this box?Well paste bin your firewall rules and post the URL here. That would be a start. -- Regards Robert Smile... it increases your face value!