# nfs, ssh, and iptables

## The Doctor

I'm trying to turn my old computer into a file server. So far, it seems mostly successful, with a few major exeptions:

ssh isn't using public keys authentication

the firewall blocks ssh traffic

the firewall blocks nfs traffic

I would also like the system to fail gracefully if the server isn't online since this will probably be most of the time. Is there a simple way to accomplish this? Waiting for netmount to fail took about 2 minutes.

My ssh config on the server

```
X11Forwarding yes

Protocol 2

PermitRootLogin no

PubkeyAuthentication yes

AuthorizedKeysFile      .ssh/authorized_keys

#HostbasedAuthentication no

#PasswordAuthentication no

#PermitEmptyPasswords no

AllowGroups wheel admin

SyslogFacility AUTH

LogLevel INFO

Subsystem       sftp    /usr/lib64/misc/sftp-server

AcceptEnv LANG LC_*
```

My firewall basically drops everything except what is allowed. I added these lines to allow ssh

```
iptables -A OUTPUT -p tcp --dport ssh -j ACCEPT

iptables -A INPUT -p tcp --dport ssh -j ACCEPT
```

 The complete script I use to configure iptables (shamelessly coped from the forums and slightly modified)

Looking at F12 it looks like the catchall FIREWALL is blocking it.

----------

## Ant P.

For netmount, you could have a cron @reboot job or /etc/local.d/ script start the service manually, which then wouldn't block other initscripts from starting up.

----------

## The Doctor

Thanks for the idea.

Unfortunately, it doesn't work in practice.  :Crying or Very sad: 

----------

## szatox

For ssh to use publik key authentication you jst need to

1) generate a pair of keys (using ssh-keygen)

2) apped public key to ~/.ssh/authorized_keys  (this part happens at server site, in $HOME of user you want to login as)

NFS is rather hard to get to work through a firewall since it choses random port for data transfer. At least it used to be this way. However, if you consider your network secure enough for NFS, you might consider more permissive rules. E.g. accept everything that comes from your LAN and block everything that comes from the world (unless you asked for it -> conntrack handles this well). You usualy don't want to expose your NFS to the outside world anyway

----------

## py-ro

Or use nfs >= Version 4, only one TCP Port, no Portmap.

----------

## Hu

I hope that script is only a reference for how you configured it.  You should never use a script that runs iptables repeatedly if you want to wipe and load an entire set of rules.  Instead, use iptables-restore to load the rules as a single operation.  Since you do not set -e, your script will blow past any failures and leave you with a misconfigured firewall if any of the commands fail.

```
iptables -A ICMP -j DROP
```

Why do you lump ICMP echo request in with state notification messages like host unreachable?

```
iptables -A INPUT ! -i lo -s 127.0.0.0/8 -j LOOPSPOOF
```

This is handled automatically if you have reverse path filtering enabled.

```
iptables -A INPUT -f -j BOGUS
```

Fragments are not always bogus.  Why are you dropping them?

```
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
```

Did you intend to offer ssh service to the world?

```
iptables -A OUTPUT -p icmp -j ICMP
```

This is just wrong.

```
iptables -A OUTPUT -p udp --dport 53 -d 8.8.8.8 -j ACCEPT

iptables -A OUTPUT -p udp --dport 53 -d 8.8.8.8 -j ACCEPT
```

Repeating the rule does not increase its effect.

----------

## The Doctor

Thanks for the replies.

@szatox.

I do have the keys properly set up. Currently, aurthorized_keys is identical to my public key. This is partly why I'm finding the ssh problem to be so puzzling. As far as I can tell, it should be working with my configuration, but it isn't.

@Hu,

Yes, the script is purely for initial configuration and memory. Once the rules are set the iptables runscript takes care of the rest.

Thanks for the set -e. I was completely unaware that it existed.

I'm afraid I don't have any good answers to the whys of the firewall.  I have never been able to really get my head around iptables, so I end up 'borrowing' configurations that other people use. Part of the problem is that there doesn't seem to be an good documentation on the subject. About the only source I found is the Arch wiki. Does this look better? It seems to work perfectly as it allows both nfs and ssh.

As for offering ssh, I don't particularly mind if it is open on the local network since the router doesn't forward ssh.

----------

## Hu

That looks better.  You now accept effectively all unsolicited inbound connection attempts on TCP and UDP.  This is fine for systems that are meant to be public access or are meant to be protected by some other firewall.  It may be undesirable if you want to restrict offered services and have no other device handling that job for you.

----------

