# [SOLVED]added iptables to nfs server: can't mount anymore

## jody

Hi

After adding iptables to my nfs server (hoping to make it safer), i can't mount networdrives from there anymore.

Currently, the iptables for the nfs server look like this:

```
 $ sudo iptables -L

Password: 

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

DROP       tcp  --  anywhere             anywhere             tcp dpt:1947

DROP       tcp  --  anywhere             anywhere             tcp dpt:5357

DROP       tcp  --  anywhere             anywhere             tcp dpt:34909

DROP       tcp  --  anywhere             anywhere             tcp dpt:45222

DROP       tcp  --  anywhere             anywhere             tcp dpt:45365

DROP       tcp  --  anywhere             anywhere             tcp dpt:49156

DROP       tcp  --  anywhere             anywhere             tcp dpt:51864

DROP       tcp  --  anywhere             anywhere             tcp dpt:56418

ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

ACCEPT     icmp --  anywhere             anywhere            

ACCEPT     all  --  anywhere             anywhere            

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8000

ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh

ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:http

ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:nfs

ACCEPT     tcp  --  net-XXXXX  anywhere             state NEW multiport dports sunrpc,892,nfs,32803

ACCEPT     udp  --  net-XXXXX anywhere             state NEW multiport dports sunrpc,892,nfs,32769

ACCEPT     tcp  --  net-XXXXX  anywhere             state NEW multiport dports ftp-data,ftp

ACCEPT     udp  --  net-XXXXX  anywhere             state NEW multiport dports ftp-data,ftp

ACCEPT     tcp  --  net-YYYYY  anywhere             state NEW multiport dports ftp-data,ftp

ACCEPT     udp  --  net-YYYYY anywhere             state NEW multiport dports ftp-data,ftp

ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:875

ACCEPT     udp  --  anywhere             anywhere             state NEW udp dpt:875

ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:662

ACCEPT     udp  --  anywhere             anywhere             state NEW udp dpt:662

ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:8090

REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination         

REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination         

```

(XXXXX and YYYYY are two IP ranges; my client machine's IP address is in the range XXXXX)

As far as i can tell, Port 2049 (nfs) is open on the nfsserver; i get a connection when i use telnet:

```
 $ telnet nfsserver 2049

Trying XXX.XXX.XXX.XXX...

Connected to nfsserver.

Escape character is '^]'.

```

When i do a 'sudo mount -v -t nfs nfsserver:/data/jw_simulations localdata/' on the client machine, i get 

```
mount.nfs: timeout set for Mon Apr 25 18:10:25 2016

mount.nfs: trying text-based options 'vers=4,addr=XXX.XXX.XXX.XXX,clientaddr=YYY.YYY.YYY.YYY'

mount.nfs: mount(2): Protocol not supported

mount.nfs: trying text-based options 'addr=XXX.XXX.XXX.XXX'

mount.nfs: prog 100003, trying vers=3, prot=6

mount.nfs: trying XXX.XXX.XXX.XXX prog 100003 vers 3 prot TCP port 2049

mount.nfs: prog 100005, trying vers=3, prot=17

mount.nfs: trying XXX.XXX.XXX.XXX prog 100005 vers 3 prot UDP port 33098

mount.nfs: portmap query retrying: RPC: Unable to receive - No route to host

mount.nfs: prog 100005, trying vers=3, prot=6

mount.nfs: trying XXX.XXX.XXX.XXX prog 100005 vers 3 prot TCP port 45637

mount.nfs: portmap query failed: RPC: Remote system error - No route to host

mount.nfs: trying text-based options 'vers=4,addr=XXX.XXX.XXX.XXX,clientaddr=YYY.YYY.YYY.YYY'

...

```

(this block of output is repeated 'endlessly')

I have the same services running on the nfsserver as before (when mounting worked before i added the iptables):

```
 $ /etc/init.d/nfs status

 * status: started

 $ /etc/init.d/rpcbind status        

 * status: started

 $ /etc/init.d/rpc.statd status

 * status: started

```

Any ideas what might be the problem here?

Thank You

  jodyLast edited by jody on Tue Apr 26, 2016 4:14 pm; edited 1 time in total

----------

## szatox

Well, you clearly have made it safer.

Which NFS version do you use? AFAIR NFS3 uses random ports. No idea about NFS4.

Have you tried sniffing network traffic at either of those machines? Perhaps it would let you spot a connection that doesn't get fully initiated.

Also, why set a rule like

REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited 

when you can just set policy to reject?

----------

## jody

By removing the rule

```
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
```

the remote drives could be mounted again.

I copied the rules for my nfs server from a different server with different OS - i must admit i don't know what this rule is for....

----------

