Pages

Wednesday, April 13, 2011

Using NFS with iptables

Having recently learned how to solve this problem myself, I thought I would share it. I recently switched from Ubuntu Desktop and Ubuntu Server to CentOS 5.5 on both my Linux machines, and I was having some trouble getting the NFS share to mount past the servers firewall. Turns out this is due to some extra configuring needed on the server side. This works on CentOS and should work on any other distribution based on Red Hat Enterprise Linux, as well as Red Hat itself and probably Fedora.

Some people recommend simply turning the firewall off on the server, but this is a bad idea and really not the proper way to go about it as far as I am concerned, especially if maintaining security is vital to the systems in question.

So, here is what you should do. You will need to be working with root access to do this.

First, you need to modify the /etc/sysconfig/nfs file so that the required services will use fixed ports rather than dynamically assigned ports, as dynamic ports cannot be protected by port filtering firewalls such as iptables. Assigning dynamic ports is the default behavior of the portmapper, so this must be changed. Add something similar to the numbers below to the end of the etc/sysconfig/nfs file. These numbers are taken from my own CentOS 5.5 nfs server, and work just fine.

LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
STATD_PORT=662

This establishes fixed ports for these services.

Now you will need to restart the portmap and nfs services with the following commands:

service portmap restart
service nfs restart



Add the following lines to the /etc/sysconfig/iptables file, ensuring that they appear before the final LOG and DROP lines for the RH-Firewall-1-INPUT chain. Also, replace the IP address portion of these statements with addresses that apply to your network.

-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 32803 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 32769 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 892 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 892 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 662 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 662 -j ACCEPT

If you look closely, you will see that what we are doing is configuring the iptables firewall to accept connections from the services previously configured.

Finally, restart the iptables service:

service iptables restart

Assuming your NFS shares are configured properly, you should now have access to them.

Thursday, April 7, 2011

Designing a hard disk layout.

Designing a hard disk layout is a good way to tailor a system to your particular needs. Linux allows for the creation of multiple partitions, and each partition can be used as a different mount point for various directories of the file system.

Most default Linux installs use a generic partition scheme which usually creates two partitions, one for the Linux filesystem and one used as a swap space, similar to virtual memory under Windows. This is generally sufficient for most users, but better control and system performance can be gained with a well designed layout.

Here is a brief overview of the movable Linux directories and what they contain:

/boot: contains the systems critical boot files.
/home: contains the data files and home directories for each user on the system.
/mnt: used as a mount point for removable media
/media: similar to /mnt
/opt: Contains Linux files and programs associated with third party software.
/tmp: Contains temporary files created by ordinary users.
/usr: Contains most Linux program and data files.
/usr/local: contains programs and files unique to particular installation.
/var: holds files associated with the day to day functioning of the computer.
The other directories(/etc,/bin,/sbin,/lib, and /dev) should never be placed on separate partitions as they are critical to the functioning of the base system and should reside under the main Linux partition.

The best time to set up partitions is when doing a fresh installation or when re-formating and re-installing. While it may be possible to re-work an installed system from a live cd or rescue disk, I highly doubt this would be a good idea.

With all that out of the way, let's look at some possible layouts.

For a basic home system, making a /boot partition, a /(root) partition, a /home partition, and a swap partition. The /boot partition can be ext2 while the others should be ext3, ext4, or some other type of journaling filesystem. Having a separate /home partition allows you to re-install the rest of the operating system without having to reformat and lose the information on the
/home partition. When re-installing, simply format /boot and / and leave /home alone.

As for sizes, /boot should be 50-100 MB, the swap partition is generally 1.5 to 2 times system RAM, and the / and /home partitions should each be half of the remaining space. This arrangement should give a Desktop system good performance and reliability, with plenty of space for both user files and software installations/updates.

For servers, a similar arrangement can be used, but /var should also be a separate partition as it is often used by various server programs. Also, on a server /home likely does not need to be as large as the / or /var partitions since servers generally don't make large use of /home.

Keep in mind that these are guidelines, and a starting point for your options. Also, if you plan to create more than four partitions, you will have to use logical partitions for some or all of them as you are only allowed four primary partitions on a hard disk.

Welcome

This blog is for more advanced topics concerning the use and configuration of the Linux operating system. Unlike my basic lessons blog, this one assumes that you already have some knowledge of Linux and computers in general. You do not need to be a Linux guru or computer expert, but you should understand computers and operating systems well enough to be comfortable making changes and experimenting.