[PLUTO-help] iptables ... permettere l'export di file system nfs
Andrea Ligabue
ligabue a theochem.unimo.it
Mar 22 Mar 2005 14:06:44 CET
Ciao a tutti
sto cercando di configuraee un firewall che tra gli altri servizi mi
permetta l'export di file system nfs ...
per iniziare la configurazione ho utilizzato guardog e poi sto editando il
file a mano
ho definito una catena chiamata f2to1 che gestisce i collegamento tra
alcune macchine del mio ufficio e la macchina che deve fare l'export dei
filesystems
per autorizzare l'nfs ho settato is eguenti comandi
iptables -A f2to1 -p tcp --sport 0:65535 --dport 111:111 -m state --state NEW -j ACCEPT
iptables -A f2to1 -p udp --sport 0:65535 --dport 111:111 -j ACCEPT
iptables -A f2to1 -p tcp --sport 0:65535 --dport 1024:5999 -m state --state NEW -j ACCEPT
iptables -A f2to1 -p udp --sport 0:65535 --dport 0:65535 -j ACCEPT
iptables -A f2to1 -p tcp --sport 0:65535 --dport 2049:2049 -m state --state NEW -j ACCEPT
iptables -A f2to1 -p udp --sport 0:65535 --dport 2049:2049 -j ACCEPT
ma se faccio un nmap sulla macchina ottengo:
111/tcp open rpcbind
ma
2049/tcp closed nfs
... c'e' un modo per capire a che livello (da quale comando/regola) il mio
pacchetto viene fermato dal firewall ?
Per capirci, la catena f2to1 (comadno iptables -L) e' questa:
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:imaps state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:cvspserver state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:auth state NEW
ACCEPT udp -- anywhere anywhere udp dpt:113
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:https state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:sunrpc state NEW
ACCEPT udp -- anywhere anywhere udp dpt:sunrpc
ACCEPT tcp -- anywhere anywhere tcp dpts:1024:5999 state NEW
ACCEPT udp -- anywhere anywhere udp
ACCEPT tcp -- anywhere anywhere tcp dpt:nfs state NEW
ACCEPT udp -- anywhere anywhere udp dpt:nfs
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:smtp state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:imap2 state NEW
ACCEPT udp -- anywhere anywhere udp dpt:imap2
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:www state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:webcache state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:8008 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:8000 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:8888 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:x11:6063 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:10000 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:pop3 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:pop3s state NEW
ACCEPT udp -- anywhere anywhere udp dpt:xdmcp
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:pop2 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ssh state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:0:1023 dpt:ssh state NEW
logdrop all -- anywhere anywhere
... gli altri sefvizi funzionano ... nmap mi ritorna (nmap -sT) i seguenti
risultati:
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
143/tcp open imap
443/tcp open https
1473/tcp closed openmath
5432/tcp open postgres
10000/tcp open snet-sensor-mgmt
... qualcuno puo' aiutarmi ?
grazie mille
Andrea
----------------------------------------------------------
There's no honorable way to kill, no gentle way to destroy.
There is nothing good in war. Except its ending.
-- Abraham Lincoln, "The Savage Curtain", stardate 5906.5
----------------------------------------------------------
tel +39 059 2055115
More information about the pluto-help
mailing list