[PLUTO-help] iptables ... permettere l'export di file system nfs

Andrea Ligabue ligabue a theochem.unimo.it
Mar 22 Mar 2005 18:46:42 CET 

Ho risolto da solo il problema ... in realta' occorre anche abilitare

iptables -A f2to1 -p tcp --sport 0:65535 --dport 32769:32769 -m state --state NEW -j ACCEPT
iptables -A f2to1 -p udp --sport 0:65535 --dport 32769:32769 -j ACCEPT

che e' il protocollo:

filenet-rpc     32769/tcp   # Filenet RPC
filenet-rpc     32769/udp   # Filenet RPC

... e guarddog (almeno la versione che ho usato io) non lo faceva

ciao a tutti
Liga

----------------------------------------------------------

There's no honorable way to kill, no gentle way to destroy. 
There is nothing good in war.  Except its ending.

  -- Abraham Lincoln, "The Savage Curtain", stardate 5906.5

----------------------------------------------------------

tel +39 059 2055115

On Tue, 22 Mar 2005, Andrea Ligabue wrote:

> Ciao a tutti
>
> sto cercando di configuraee un firewall che tra gli altri servizi mi permetta 
> l'export di file system nfs ...
>
> per iniziare la configurazione ho utilizzato guardog e poi sto editando il 
> file a mano
>
> ho definito una catena chiamata f2to1 che gestisce i collegamento tra alcune 
> macchine del mio ufficio e la macchina che deve fare l'export dei filesystems
>
> per autorizzare l'nfs ho settato is eguenti comandi
>
> iptables -A f2to1 -p tcp --sport 0:65535 --dport 111:111 -m state --state NEW 
> -j ACCEPT
> iptables -A f2to1 -p udp --sport 0:65535 --dport 111:111 -j ACCEPT
> iptables -A f2to1 -p tcp --sport 0:65535 --dport 1024:5999 -m state --state 
> NEW -j ACCEPT
> iptables -A f2to1 -p udp --sport 0:65535 --dport 0:65535 -j ACCEPT
> iptables -A f2to1 -p tcp --sport 0:65535 --dport 2049:2049 -m state --state 
> NEW -j ACCEPT
> iptables -A f2to1 -p udp --sport 0:65535 --dport 2049:2049 -j ACCEPT
>
> ma se faccio un nmap sulla macchina ottengo:
>
> 111/tcp   open   rpcbind
>
> ma
>
> 2049/tcp  closed nfs
>
> ... c'e' un modo per capire a che livello (da quale comando/regola) il mio 
> pacchetto viene fermato dal firewall ?
>
> Per capirci, la catena f2to1 (comadno iptables -L) e' questa:
>
> target     prot opt source               destination
> ACCEPT     icmp --  anywhere             anywhere           icmp echo-reply
> ACCEPT     tcp  --  anywhere             anywhere           tcp 
> spts:1024:65535 dpt:imaps state NEW
> ACCEPT     tcp  --  anywhere             anywhere           tcp 
> spts:1024:65535 dpt:cvspserver state NEW
> ACCEPT     tcp  --  anywhere             anywhere           tcp 
> spts:1024:65535 dpt:auth state NEW
> ACCEPT     udp  --  anywhere             anywhere           udp dpt:113
> ACCEPT     tcp  --  anywhere             anywhere           tcp 
> spts:1024:65535 dpt:https state NEW
> ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:sunrpc 
> state NEW
> ACCEPT     udp  --  anywhere             anywhere           udp dpt:sunrpc
> ACCEPT     tcp  --  anywhere             anywhere           tcp 
> dpts:1024:5999 state NEW
> ACCEPT     udp  --  anywhere             anywhere           udp
> ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:nfs state 
> NEW
> ACCEPT     udp  --  anywhere             anywhere           udp dpt:nfs
> ACCEPT     tcp  --  anywhere             anywhere           tcp 
> spts:1024:65535 dpt:smtp state NEW
> ACCEPT     tcp  --  anywhere             anywhere           tcp 
> spts:1024:65535 dpt:imap2 state NEW
> ACCEPT     udp  --  anywhere             anywhere           udp dpt:imap2
> ACCEPT     tcp  --  anywhere             anywhere           tcp 
> spts:1024:65535 dpt:www state NEW
> ACCEPT     tcp  --  anywhere             anywhere           tcp 
> spts:1024:65535 dpt:webcache state NEW
> ACCEPT     tcp  --  anywhere             anywhere           tcp 
> spts:1024:65535 dpt:8008 state NEW
> ACCEPT     tcp  --  anywhere             anywhere           tcp 
> spts:1024:65535 dpt:8000 state NEW
> ACCEPT     tcp  --  anywhere             anywhere           tcp 
> spts:1024:65535 dpt:8888 state NEW
> ACCEPT     tcp  --  anywhere             anywhere           tcp 
> spts:1024:65535 dpts:x11:6063 state NEW
> ACCEPT     tcp  --  anywhere             anywhere           tcp 
> spts:1024:65535 dpt:10000 state NEW
> ACCEPT     tcp  --  anywhere             anywhere           tcp 
> spts:1024:65535 dpt:pop3 state NEW
> ACCEPT     tcp  --  anywhere             anywhere           tcp 
> spts:1024:65535 dpt:pop3s state NEW
> ACCEPT     udp  --  anywhere             anywhere           udp dpt:xdmcp
> ACCEPT     tcp  --  anywhere             anywhere           tcp 
> spts:1024:65535 dpt:pop2 state NEW
> ACCEPT     tcp  --  anywhere             anywhere           tcp 
> spts:1024:65535 dpt:ssh state NEW
> ACCEPT     tcp  --  anywhere             anywhere           tcp spts:0:1023 
> dpt:ssh state NEW
> logdrop    all  --  anywhere             anywhere
>
> ... gli altri sefvizi funzionano ... nmap mi ritorna (nmap -sT) i seguenti 
> risultati:
>
> 22/tcp    open   ssh
> 25/tcp    open   smtp
> 80/tcp    open   http
> 110/tcp   open   pop3
> 111/tcp   open   rpcbind
> 143/tcp   open   imap
> 443/tcp   open   https
> 1473/tcp  closed openmath
> 5432/tcp  open   postgres
> 10000/tcp open   snet-sensor-mgmt
>
> ... qualcuno puo' aiutarmi ?
>
> grazie mille
> Andrea
>
> ----------------------------------------------------------
>
> There's no honorable way to kill, no gentle way to destroy. There is nothing 
> good in war.  Except its ending.
>
> -- Abraham Lincoln, "The Savage Curtain", stardate 5906.5
>
> ----------------------------------------------------------
>
> tel +39 059 2055115
>

More information about the pluto-help mailing list