3

NFS support in iptables (or other firewall)

view full story
linux-howto

http://serverfault.com – How do I enable NFS mounts/shares with iptables with DROP policy? NFS uses dynamically assigned ports, thus it is difficult to use with firewalls. I have an NFS server and a few clients. I would like to accept traffic ONLY on ports that are required for NFS to work. I have configured the NFS server to use static ports (4000-4004). The problem, however, is that the clients still selects a random port -- and because it is UDP I can only make it work if I accept all UDP traffic from the server. I found some documentation that describes setting a /sys variable that would limit the client to us (HowTos)

xskl's picture
Submitted by xskl on 01/10/2012 – Made popular on 01/10/2012

Stories similar to NFS support in iptables (or other firewall)

I am running a server which needs UDP ports 1000:11000 opened, as well as TCP 10011 and 30033 open to function.

I have a set of iptables rules set to allow SSH and those ports, and intentionally left out 2010 as I am getting attacked on that port. The server does not block the incoming IP even when told to do so.

IPTables is running on my web server. I really need SSH dynamic port forwarding, but my IPTables DROP any INPUT/OUPUT connection, only allow some ports.

For FORWARD chain, I wrote these rules:

Chain FORWARD (policy ACCEPT) target prot opt source destination DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcpflags:!

I'm trying to find out why changing my default iptables policy is affecting what nmap sees when it scans my host.

Consider the following iptables setup:

iptables -F iptables -A INPUT -p tcp -s 10.1.0.0/20 --dport 22 -j ACCEPT

iptables -P INPUT ACCEPT iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT

iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j AC

I used an online tool to create an iptables firewall. Basically I just need port 22 and 1194 open to the outside world. But I noticed this bash script has input, forward and output chains as accept by default. Is it blocking all traffic but those two ports? Thanks.

when trying to open the ports 110 and 25 in my iptables for outlook-only users, i cant do it except by forwarding as such:

-I FORWARD -i eth0 -s 192.168.1.0/24 -j ACCEPT -I FORWARD -i eth1 -d 192.168.1.0/24 -j ACCEPT

but doing so allows the rest of the users in my lan to bypass my squid proxy.

Hey guys,

I don't understand whats going on with my rootserver... I have reset iptables and just opened the port for ssh. Now suddenly over night I see that there are a various of ports open: 21,80, 135, 139, 445, 3128

Could it be that vsftpd for example put rules in automatically to allow input on port 21?

I also tried disabling iptables with this command:

Code: # iptables -X # iptables

I'm following this guide here: http://isalazyadmin.net/2009/07/02/configuring-a-basic-firewall-for-debi...

And I have the iptables listed shown, but my server still appears to be accepting all incoming connections (ie: bittorrent peers are still connecting, even though I didn't allow those ports).

/etc/iptables.rules

*filter

# This will allow all loopback (lo0) traffic and drop all traff

Here is the setup.

I'd like to allow mail through iptables and DROP policy but this script doesn't work what it is wrong here:

## FLUSH de reglas iptables -F

iptables -X

iptables -Z

iptables -t nat -F

## policy iptables -P INPUT DROP

iptables -P OUTPUT ACCEPT

iptables -P FORWARD DROP

# localhost iptables -A INPUT -i lo -j ACCEPT

# Allow my ip iptables -A INPUT -s MY_IP -j ACCEPT

# 80 port iptables -A I