Pario TechnoBlob
msgbartop
A cronological documentation test project, nothing serious, really!
msgbarbottom

15 Jan 2008 Allow NFS through iptables on a RedHat system

This post describes how you can configure your RedHat Enterprise WS 4 NFS system behind a iptables firewall to be available for clients outside the firewall on a permanent basis.

Symptom
NFS relies on portmap to assign the ports on which it will listen. One side effect of this is that the ports are randomly assigned, so each time NFS is restarted the ports will change. This can make it difficult to run an NFS server behind a firewall which only allows access to specific ports on the system.

Solution
The first step is to assign a permanent port number to each of the NFS services (rquotad, mountd, statd, and lockd). While they can use any unused ports greater than 1024, it is recommended that you first consult the file /etc/services to find a valid unused port range. The following examples use the range 10000-10005.

The majority of the ports are configured through the file /etc/sysconfig/nfs. You will need to create this file if it does not exist. It should look similar to the following example:

# NFS port numbers
STATD_PORT=10002
STATD_OUTGOING_PORT=10003
MOUNTD_PORT=10004
RQUOTAD_PORT=10005

The lockd service is configured differently from the others because it is compiled as a kernel module. To set the port which lockd uses, add these options in the /etc/sysconfig/nfs file:

LOCKD_UDPPORT=30001
LOCKD_TCPPORT=30001

where “30001″ can be replaced with any port that is available and can be assigned for use.

After these configuration changes, you can view the port assignments with the command rpcinfo -p 

# rpcinfo -p | awk -F " " '{print $3 ", " $4 ", " $5}' | sort | uniq
   proto, port,
tcp, 111, portmapper
tcp, 2049, nfs
tcp, 32771, nlockmgr
tcp, 800, rquotad
tcp, 814, mountd
udp, 111, portmapper
udp, 2049, nfs
udp, 32768, nlockmgr
udp, 797, rquotad
udp, 811, mountd

At this point, the ports will remain the same when NFS is restarted. The following is a list of ports which need to be opened on the firewall:

proto, port,
tcp, 10004, mountd
tcp, 10005, rquotad
tcp, 111, portmapper
tcp, 2049, nfs
tcp, 32771, nlockmgr
udp, 10004, mountd
udp, 10005, rquotad
udp, 111, portmapper
udp, 2049, nfs
udp, 32768, nlockmgr

You can now open these ports on the firewall to allow remote clients to mount a share on the server. If you are using iptables, the following commands can be used to add inbound/outbound rules to allow access to these ports.
Note that this is only an example, as your specific firewall rules may differ.
This is an excerp of my /etc/sysconfig/iptables file. It allows NFS connections from IP address 192.168.0.10 but doesn’t restrict traffic out.

-A RH-Firewall-1-INPUT -s 192.168.0.10 -p tcp -m tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.10 -p udp -m udp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.10  -p tcp -m tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.10 -p udp -m udp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.10 -p tcp -m tcp --dport 10000 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.10 -p udp -m udp --dport 10001 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.10 -p tcp -m tcp --dport 10002:10005 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0.10 -p udp -m udp --dport 10002:10005 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -p tcp -m tcp -j LOG --log-prefix "Reject Traffic " --log-level 6
-A RH-Firewall-1-INPUT -i eth0 -p tcp -m tcp -j REJECT --reject-with icmp-port-unreachable

This post is a modified example of the solution from RedHat Knowledgebase Article ID 5928.

Tags: , , ,

Posted by

Filed in Linux, Network, Security with 0 Comments

20 Dec 2007 Limit ssh access by MAC-address using iptables

This is a simple iptables rule to allow ssh access to a specific MAC-address

iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT

This is a nice rule to allow only your laptop ssh access on your servers no matter what IP-address you may have while you are on the road. You do offcourse need to replace XX:XX:XX:XX:XX:XX with your actual MAC-address.

After allowing this rule you should keep an eye on your laptop :)

Tags: ,

Posted by

Filed in Linux, Network with 0 Comments

20 Dec 2007 Allow NFS through iptables

This is one way to determine the ports needed to open in your iptables rules to get NFS to work properly. First we need to determine the ports NFS uses

rpcinfo -p | awk -F " " '{print $3 ", " $4 ", " $5}' | sort | uniq

Notice!
Since portmap assigns ports on random this example is only valid as long as you don’t restart your NFS.

On my system, a RedHat Enterprise Linux WS 4, the result was

proto, port,
tcp, 111, portmapper
tcp, 2049, nfs
tcp, 32771, nlockmgr
tcp, 768, rquotad
tcp, 782, mountd
udp, 111, portmapper
udp, 2049, nfs
udp, 32768, nlockmgr
udp, 765, rquotad
udp, 779, mountd

This gave me a nice overview of protocols (tcp/udp) and ports used.

Now the rules

iptables -A RH-Firewall-1-INPUT -s 192.168.0.0/255.255.255.0 -i eth0 -p tcp -m state --state NEW -m multiport --dports 111,2049,32771,768,782 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -s 192.168.0.0/255.255.255.0 -i eth0 -p udp -m state --state NEW -m multiport --dports 111,2049,32768,765,779 -j ACCEPT

You see that the multiport statement is just like the result of my rpcinfo command above.

Remember to save your new rules, othervise they will disappear the next time the iptables rules are being loaded.

In addition to this rule you should add the iptables rule for ssh access I wrote about earlier.

Another way to determine the ports

nmap -sC -p 111 localhost

Notice!
This solution won’t work after a reboot of the server since NFS changes ports. One way to overcome this problem is to follow the instructions in a newer post I’ve made about RedHat and NFS.

Tags: , , , ,

Posted by

Filed in Linux, Network, Security with 0 Comments

05 Sep 2007 Port Knocking

What is Port Knocking?

Port knocking is a method by which you can dynamically open ports on your server to a single IP address. Port knocking allows you to transparently run a service on your server without exposing the services of that port to all IP addresses.

In practice, it is very similar to having a whitelist of IP addresses which are allowed to access your server. The advantage of this setup is that you can grant the machine you are using access to the ports on your server dynamically without having to reconfigure your firewall or access list.
(more…)

Tags: ,

Posted by

Filed in Linux, Security with 0 Comments

08 May 2007 SSH Dictionary Attack Prevention with iptables

It is ideal to slow down the SSH dictionary attack when the infested host started to brute force the SSH authentication. There are many scripts/user-land daemons that perform monitoring and blocking. I prefer to use something that has less demand in memory/CPU usage. IPTables module provides a kernel level solution with little overhead.
(more…)

Tags: , , ,

Posted by

Filed in Linux, Scripting, Security with 0 Comments
« Previous Posts
Next Posts »
sidebartop

Tags

Apache apt-get awk backup basename bash CentOS convert csv Database dd Debian Etch EXIF Fedora find Gentoo grep howto html imagemagick iptables iso jhead JPG mount MySQL Nikon nmap perl PHP Postfix RedHat rhel5 rpm sed sftp SMTP sort ssh Ubuntu VMware Wordpress xargs Zimbra
sidebarbottom
sidebartop

Categories

sidebarbottom
sidebartop

Recent Comments

sidebarbottom
sidebartop

Meta

sidebarbottom
© Pario TechnoBlob / Design: Smashing Wordpress Themes