Linux Help
guides forums blogs
Home Desktops Distributions ISO Images Logos Newbies Reviews Software Support & Resources Linuxhelp Wiki

Welcome Guest ( Log In | Register )



Advanced DNS Management
New ZoneEdit. New Managment.

FREE DNS Is Back

Sign Up Now
 
Reply to this topicStart new topic
> Lokkit Firewall Management Problem, OK button doesn't apply changes
cmcp
post Jul 29 2003, 04:42 PM
Post #1


Whats this Lie-nix Thing?
*

Group: Members
Posts: 21
Joined: 15-July 03
Member No.: 1,107



I am running RedHat 7.3 (server configuration) and initially set up the firewall at installation time to be High (allows no connections) except that I configured it to allow SSH. Now I want to change the firewall setting to Medium, so I have been using /usr/sbin/lokkit. I have tried to make the change to Medium and keep the firewall customized to allow SSH connections, but when I click OK to apply the changed settings to the firewall, they are not applied. I can click OK, then immediately reopen the lokkit utility and I can see that the old settings still exist. Is there a way to fix this problem or a better utility that you recommend to configure the firewall? Thank you in advance for your help.
Go to the top of the page
 
+Quote Post
Joey
post Jul 29 2003, 04:53 PM
Post #2


LinuxHelp Admin
*******

Group: Admin
Posts: 1,096
Joined: 18-September 02
Member No.: 1



Drop the whole redhat firewall thing and download the IPTables script from our guides page. You can then configure this to allow exactly what you want and what you dont. It takes longer to set up but its worth it in the end.
Go to the top of the page
 
+Quote Post
cmcp
post Jul 29 2003, 05:48 PM
Post #3


Whats this Lie-nix Thing?
*

Group: Members
Posts: 21
Joined: 15-July 03
Member No.: 1,107



I would definitely like to do that, and I have downloaded the script and looked at it. The reason that I want to relax the firewall is that right now, NFS does not work because the clients' firewalls are too strict. I would use the script, but I don't know how to configure it to allows NFS. If anybody can tell me how to configure the IPTables script (from linuxhelp's guides page) to allow NFS, I would appreciate it very much.

If you don't know how to configure the script but have any other ideas of how I might modify the firewall to allow NFS, I would be very thankful if you would mention them too.
Go to the top of the page
 
+Quote Post
Joey
post Jul 29 2003, 06:40 PM
Post #4


LinuxHelp Admin
*******

Group: Admin
Posts: 1,096
Joined: 18-September 02
Member No.: 1



My buddy Tarence is good with NFS. I'll try and track him down and get him to help you smile.gif
Go to the top of the page
 
+Quote Post
cmcp
post Jul 30 2003, 02:42 AM
Post #5


Whats this Lie-nix Thing?
*

Group: Members
Posts: 21
Joined: 15-July 03
Member No.: 1,107



Thanks so much for your effort man, I really appreciate it.
Go to the top of the page
 
+Quote Post
xIIx
post Jul 30 2003, 09:25 AM
Post #6


Whats this Lie-nix Thing?
*

Group: Support Specialist
Posts: 14
Joined: 4-July 03
Member No.: 1,051



QUOTE (cmcp @ Jul 29 2003, 05:48 PM)
I would definitely like to do that, and I have downloaded the script and looked at it. The reason that I want to relax the firewall is that right now, NFS does not work because the clients' firewalls are too strict. I would use the script, but I don't know how to configure it to allows NFS. If anybody can tell me how to configure the IPTables script (from linuxhelp's guides page) to allow NFS, I would appreciate it very much.

If you don't know how to configure the script but have any other ideas of how I might modify the firewall to allow NFS, I would be very thankful if you would mention them too.

You mentioned client firewalls? The clients connecting to your NFS server have firewalls? Are all of the machines trying to connect to your nfs server on your LAN, and same subnet? If so ..this line in iptables would help. $IPT -A INPUT -s yourclientsipaddress -d 0/0 -p all -j ACCEPT. If it's an external box then $IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 111 -j ACCEPT You will need two other lines just like that dport line with the other dports set to 2049-3049. Try adding that to your iptables rulset. NFS uses a wide range of ports.
Go to the top of the page
 
+Quote Post
cmcp
post Jul 30 2003, 03:03 PM
Post #7


Whats this Lie-nix Thing?
*

Group: Members
Posts: 21
Joined: 15-July 03
Member No.: 1,107



Yes, both the server and clients have pretty secure firewalls. All of the clients are on a private network and the server is on that same network. I tried adding $IPT -A INPUT -s yourclientsipaddress -d 0/0 -p all -j ACCEPT (although I did put the client's IP where it belongs) to the script and I still get the error 'mount: RPC: Port mapper failure - RPC: Unable to receive'. I couldn't tell if I need to add other lines for the dports you mention even though the clients are on the same network as the server -- do I? Also, when you said two other lines for dports 2049-3049, do you mean I need two lines as follows:
$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 2049 -j ACCEPT
$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 2049 -j ACCEPT?

One other thing: as I said, the NFS server has a strict firewall too. Could that also cause problems for NFS or is this just a problem with the clients' firewalls making them unable to receive? Thanks so much for your help.
Go to the top of the page
 
+Quote Post
cmcp
post Jul 31 2003, 07:04 PM
Post #8


Whats this Lie-nix Thing?
*

Group: Members
Posts: 21
Joined: 15-July 03
Member No.: 1,107



Sorry, that last line should have had 3049 and not 2049.

OK, so I've experimented a little with an NFS client after flushing its IPTables (firewall) rules, and I no longer get the error that reads 'mount: RPC: Port mapper failure - RPC: Unable to receive'. Now, the client hangs at the prompt screen for a while after I try to mount a directory on the server and eventually gives a similar error that reads 'RPC: Timed out' instead of 'Unable to receive'. In my experience, time outs often have to do with a server-side problem, so I'm wondering now whether something about the server's firewall needs to be changed. For some reference info, the server's firewall is set to High and customized to allow only SSH (based on lokkit).

Here is the result of an rpcinfo -p call to the server:
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 1024 status
100024 1 tcp 1024 status
391002 2 tcp 1026 sgi_fam
100011 1 udp 632 rquotad
100011 2 udp 632 rquotad
100011 1 tcp 635 rquotad
100011 2 tcp 635 rquotad
100005 1 udp 1028 mountd
100005 1 tcp 1027 mountd
100005 2 udp 1028 mountd
100005 2 tcp 1027 mountd
100005 3 udp 1028 mountd
100005 3 tcp 1027 mountd
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100021 1 udp 1029 nlockmgr
100021 3 udp 1029 nlockmgr
100021 4 udp 1029 nlockmgr

xllx mentioned that I need dports 2049 and 3049 open, but I only see two NFS entries for 2049. Should this be changed somehow for the NFS server? If so, can you describe how to make the changes? Also, I might be totally off the mart about this time out error being server-side, so if anybody has other suggestions, I would greatly appreciate them. Thanks so much for everyone's help.
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 21st October 2017 - 06:16 PM