Guest fabsah Posted January 19, 2003 Report Share Posted January 19, 2003 Hi ! My server is running Mandrake 9.0 and shares internet acces accros my LAN. eth0 connects the server to the net (cable modem) eth1 connects to a Dlink switch to the LAN The computers on the LAN (running Debian testing) can ping each others and the internet sharing works perfectly (IP are given by dhcp). Shorewall is installed on the server. The problem is when I try to set up NFS file sharing. I've set up several directories to be shared from the server. Whenever Shorewall is running, I can't mount the NFS directories from the client. Once I stop shorewall, everything works like a charm. I've tried to configure /etc/shorewall/rules by hand, but unfortunatly, I couldn't have good results. Here it is : ############################################################################## #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # PORT PORT(S) DEST ACCEPT net fw udp 631,5080,111,25 - ACCEPT net fw tcp 22,25,631,111,11111,5080,11112,11113 - ACCEPT masq fw udp 631,5080,111,25 - ACCEPT masq fw tcp 22,25,631,111,11111,5080,11112,11113 - ACCEPT loc fw udp 631,5080,111,25 - ACCEPT loc fw tcp 22,25,631,111,11111,5080,11112,11113 -ACCEPT masq fw tcp domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp - ACCEPT masq fw udp domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp - ACCEPT fw masq tcp 631,137,138,139 - ACCEPT fw masq udp 631,137,138,139 - #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE ------ This config file should grant accès from loc (the LAN) to fw (the server) on port 22,25,631,111,11111,5080,11112,11113. Or do I get it wrong ? Do I have to edit some other file ? The easiest would be to disable firewalling on eth1 and keep internet sharing. Is is a valuable solution ? How can I do that ? (After modifying /etc/shorewall/rules, I've restarted shorewall :-)) I also have the same problem when I try to acces postfix on the server (port 25) from the LAN. Connection refused. Thank you very much for your attention and maybe your help :) fabsah Quote Link to comment Share on other sites More sharing options...
MottS Posted January 19, 2003 Report Share Posted January 19, 2003 You shorewall config IS ok but you are not including the NFS ports ! I would include port 2049 in the following lines and restart shorewall (Check /etc/services for more details about which service use which ports). ACCEPT masq fw udp ACCEPT masq fw tcp ACCEPT loc fw udp ACCEPT loc fw tcp Do you really need ports 111,11111,5080,11112,11113 ? What are they for ? Hope that help MOttS Quote Link to comment Share on other sites More sharing options...
Guest fabsah Posted January 19, 2003 Report Share Posted January 19, 2003 Hi ! First, thank you for your answer, I feel less lonely now :) I've modified /etc/shorewall/rules the way you suggested. Here's how it looks like now : ############################################################################## #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # PORT PORT(S) DEST ACCEPT net fw udp 631,5080,111,25 - ACCEPT net fw tcp 22,25,631,111,11111,5080,11112,11113 - ACCEPT masq fw udp 631,2049,5080,111,25 - ACCEPT masq fw tcp 22,25,631,111,2049,11111,5080,11112,11113 - ACCEPT loc fw udp 631,2049,5080,111,25 - ACCEPT loc fw tcp 22,25,631,111,2049,11111,5080,11112,11113 - #ACCEPT loc loc tcp 22,25,631,111,2049,11111,5080,11112,11113 - ACCEPT masq fw tcp domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp,2049 - ACCEPT masq fw udp domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp,2049 - ACCEPT fw masq tcp 631,137,138,139 - ACCEPT fw masq udp 631,137,138,139 - #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE ---------------------------------- Still, it doesn't work. Here's what I get from the client side : root@dell:/home/fabsah# mount 192.168.1.1:/local/downloads /home/fabsah/downloads-athlon/ mount: RPC: Unable to receive; errno = Connection refused Also, here's what I get when I run service shorewall restart from the server : - (root) - [/etc/shorewall] ->service shorewall restart Processing /etc/shorewall/shorewall.conf ... Processing /etc/shorewall/params ... Restarting Shorewall... Loading Modules... Initializing... Determining Zones... Zones: net masq loc Validating interfaces file... Validating hosts file... Validating Policy file... Determining Hosts in Zones... Net Zone: eth0:0.0.0.0/0 Warning: Zone masq is empty Local Zone: eth1:0.0.0.0/0 Deleting user chains... Creating input Chains... Configuring Proxy ARP Setting up NAT... Adding Common Rules Adding rules for DHCP IP Forwarding Enabled Processing /etc/shorewall/tunnels... Processing /etc/shorewall/rules... Rule "ACCEPT net fw udp 631,5080,111,25 -" added. Rule "ACCEPT net fw tcp 22,25,631,111,11111,5080,11112,11113 -" added. Rule "ACCEPT masq fw udp 631,2049,5080,111,25 -" added. Rule "ACCEPT masq fw tcp 22,25,631,111,2049,11111,5080,11112,11113 -" added. Rule "ACCEPT loc fw udp 631,2049,5080,111,25 -" added. Rule "ACCEPT loc fw tcp 22,25,631,111,2049,11111,5080,11112,11113 -" added. Rule "ACCEPT masq fw tcp domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp,2049 -" added. Rule "ACCEPT masq fw udp domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp,2049 -" added. Rule "ACCEPT fw masq tcp 631,137,138,139 -" added. Rule "ACCEPT fw masq udp 631,137,138,139 -" added. Setting up ICMP Echo handling... Processing /etc/shorewall/policy... Policy ACCEPT for fw to net using chain fw2net Policy REJECT for fw to masq using chain all2all Policy DROP for net to fw using chain net2all Policy REJECT for masq to fw using chain all2all Policy ACCEPT for masq to net using chain masq2net Policy REJECT for loc to fw using chain all2all Policy ACCEPT for loc to net using chain loc2net Masqueraded Subnets and Hosts: To 0.0.0.0/0 from 192.168.1.0/255.255.255.0 through eth0 Processing /etc/shorewall/tos... Rule "all all tcp - ssh 16" added. Rule "all all tcp ssh - 16" added. Rule "all all tcp - ftp 16" added. Rule "all all tcp ftp - 16" added. Rule "all all tcp ftp-data - 8" added. Rule "all all tcp - ftp-data 8" added. Activating Rules... Shorewall Restarted any idea ? thank you ! fabsah Quote Link to comment Share on other sites More sharing options...
MottS Posted January 19, 2003 Report Share Posted January 19, 2003 I've seen that port 22 is opened from your lan and from the net. Are you able to open an SSH session from your lan to your server? If yes then port 22 is opened in the right manner. You opened port 2049 in the same manner than port 22 so if you can't connect to your NFS serveur, it must be a problem with the server, not shorewall. Are you sure nfs is running on the server? 'service nfs status' If not start it 'service nfs start' To make sure it's not the Shorewall faults, add the following in /etc/shorewall/routestopped and stop shorewall (service shorewall stop) eth0 - eth1 - Now try to connect to your nfs server. If you still can't connect to it then it is the nfs server fault. Remove the stuff you put in routestopped and restart shorewall. Check your nfs server config. MOttS Quote Link to comment Share on other sites More sharing options...
Guest fabsah Posted January 19, 2003 Report Share Posted January 19, 2003 Once I have modified routestopped the way the suggested and stopped shorewall, NFS mounting worked fine from the client. I then started shorewall again, and the mounted directories were still available from the client. But when I tried to umount those dirs from the client, it failed and they weren't available anymore. To answer your question, I'm able to accès my SSH server on the server, but it's not on port 22, it's on 11112. Maybe I should try to set the NFS server to a non standard port. But I can't find the way to do it. Thus, IT SHOULD WORK this way, as you noted earlier. I think there's certainly another file I have to tweak. But witch one ??? Thank you again ! fabsah Quote Link to comment Share on other sites More sharing options...
MottS Posted January 19, 2003 Report Share Posted January 19, 2003 Ok. So far we are sure that it is the Shorewall's fault. What about opening the MCC on your server, go 'security' and then 'firewall'. Click the NFS button and press 'OK'. Backup your /etc/shorewall/rules before !!! That should allow the NFS server to be accessible from the net and from the lan. Test it now. You could also (another possible solution here) disable the firewall on your LAN.. but I don't like that solution. You can do it by adding the following to /etc/shorewall/policy masq loc ACCEPT masq fw ACCEPT Now restart shorewall and see what is going on. If nfs works go https://grc.com/x/ne.dll?bh0bkyd2 http://security.symantec.com/ssc/home.asp?...CVGZBZTVOGXFSTZ http://www.mycgiserver.com/servlet/kalish.Security to test your security since I've never try that and don't know if it is secur to do that... MOttS Quote Link to comment Share on other sites More sharing options...
Guest fabsah Posted January 20, 2003 Report Share Posted January 20, 2003 In MCC, I don't have any NFS check box (like the one I get for ftp, smtp, ssh, etc.). I modified policy the way you instructed but I didn't give better result. I don't understand, really. I'm passing the argument for port 2049 just like for 11112 and 11113 (witch are working properly this way. I can even SSH to my server from anywhere in the world on that port). I think that for now I better try to move on and set up a simple ftp server to access my files on the server. That's not so convenient as NFS, but as I've red, it's way more secure. But I'm not giving up the NFS option, I'll stick back to it when I'll be more skilled and my linux knowledge got enhanced. I really want to thank you again for your support, btw. See you ! fabsah Quote Link to comment Share on other sites More sharing options...
MottS Posted January 21, 2003 Report Share Posted January 21, 2003 hey ... SSH is also an FTP server. You can SFTP (Secured FTP) to your server with the following command (this is what I'm using to transfer file from and to my server) sftp user@serverIP For me its 'sftp gd@192.168.1.1'. Then you are prompted for your user password and BAM .. you can 'put' and 'get' files from your server (type 'help' for all the commands). If you want to access you server from Windows use that exe. http://the.earth.li/~sgtatham/putty/latest...t/x86/psftp.exe This is what I'm using when I'm on a win machine on my LAN. You have to double clic the executable and open a session .... just like an ordinary command line ftp utility. open serverIP Then you enter your login name and password and you are on your server from a win machine... as simple as that. SFTP works on port 22 so if you can SSH to your server you'll be able to SFTP. Finally, this is A LOT MORE SECURE than nfs since the login, the password and the files are all encryted... Hope that one help... MOttS Quote Link to comment Share on other sites More sharing options...
MottS Posted January 21, 2003 Report Share Posted January 21, 2003 I don't get why putting masq loc ACCEPT masq fw ACCEPT in /etc/shorewall/policy doesn't work.... READ the file (policy) carefully and write the policy according to your network config... That is supposed to work really... Did you write the 2 lines at the beginning or at the end of the file? Look at that (from www.shorewall.net ) The firewall script processes the /etc/shorewall/policy file from top to bottom and uses the first applicable policy that it finds. For example, in the following policy file, the policy for (loc, loc) connections would be ACCEPT as specified in the first entry even though the third entry in the file specifies REJECT. MOttS Quote Link to comment Share on other sites More sharing options...
Guest fabsah Posted January 21, 2003 Report Share Posted January 21, 2003 Ok, SFTP is working beautifully and It'll do the trick for now, I think :-) I've been using SSH for several weeks now and didn't even knew there was a secured ftp built-in ! Now, I'm using SSH to connect to my server for my mail (thanksfully, all my mail setup is text based) and sftp to exchange files. Life is good :) Bye ! fabsah Quote Link to comment Share on other sites More sharing options...
MottS Posted January 22, 2003 Report Share Posted January 22, 2003 I did some test and just put masq loc ACCEPT masq fw ACCEPT in the Policy file doesn't help much. You also have to add fw masq ACCEPT But since 'loc' doesn't mean much on a Mandrake system with ICS enabled, RETRY with the following in /etc/shorewall/policy masq fw ACCEPT fw masq ACCEPT Put those line at the beginning of the files!!! .. and don't forget to restart the firewall That should allow traffic to be opened between the firewall and your local network. MOttS Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.