# [solved] NFS locks (NLM) with paranoid iptables

## gagern

I've got tow machines right next to each other. I want one of them to export directories to the other via NFS through an OpenVPN tunnel. One of the exported directories should be / to allow installing new packages on the server using "ROOT=/mnt/point emerge package". I've got iptables on the server that block almost everything except ssh and the OpenVPN packets.

So far everything works fine - I can extablish the OpenVPN tunnel, mount the root directory of the server, and see files in it. But when I emerge something I get after some emerge messages:

```
IOError: [Errno 37] No locks available
```

From the client's log:

```
Feb 26 20:13:12 valhalla nfs warning: mount version older than kernel

Feb 26 20:13:36 valhalla rpc.statd[1617]: Received erroneous SM_UNMON request from valhalla for 192.168.51.3

```

where valhalla is the client's host name and 192.168.51.3 is the server's IP in the vpn.

From the server's log:

```
Feb 26 20:13:22 webtest rpc.mountd: authenticated mount request from valhalla.fs.tum.de:1021 for / (/)

Feb 26 20:13:45 webtest kernel: lockd: cannot monitor 192.168.51.1

```

where webtest is the server's host name, valhalla.fs.tum.de is the client's FQDN and 192.168.51.1 the client's IP in the vpn.

I've got NFSv3 configured in both kernels, so I suppose they should be using it.

I read some references on the net that this might be a problem with host names. the host name of the client according to "hostname" or "uname -n" was "valhalla", but changing it to the fqdn did not help. I also added a hosts line to the server to associate both those forms to the VPN IP of the client.

I suppose this has sopmething to do with both machines having two possible ways of communicating and someone mixing those up.

I thought about using NFSv4, but right now I'm not too eager to set up kerberos just for this.

I thought about disabling locks, but this seems a bad idea to me, especially when portage is involved so I might seriousely break something.

How do I get NFSv3 with locks working over a secure connection?Last edited by gagern on Sun Feb 27, 2005 9:37 am; edited 1 time in total

----------

## gagern

OK, found the problem.

My iptables restricted access to rpc.statd on  lo. Perhaps iptables on lo are too paranoid.

----------

