NFS穿越iptables
时间:2007-05-21 来源:tghang
NFS through IPTABLES Firewall Setup
The step-by-step guide that follow is a summary of a very well done guide, that I suggest to read carefully, and it is referred to the server with RedHat 7.3. The same considerations apply to RedHat 8.0 and 9.0. To make it possible to configure a firewall that controls NFS, it is necessary to be able to "tie" down the ports used by these services to fixed values. In the following we suggest some fixed values, but of course you can use different numbers.
Portmapper (portmap): uses port 111 on both TCP and UDP protocols.
NFS daemon (rpc.nfsd): uses port 2049 on both TCP and UDP protocols.
Status (rpc.statd): normally uses a random port allocated by portmapper. It is possible to configure a fixed port number by supplying the "-p" command option when the program is launched. Edit the file /etc/init.d/nfslock, find the line "daemon rpc.statd" and add the option:
daemon rpc.statd -p 4000
NFS lock manager (rpc.lockd): normally uses a random port allocated by portmapper. On systems where the lock manager is implemented as a loadable module (RedHat 7.3 and greater, Mandrake 8.2 and greater) the port number used is set at module load time, and so is configured by adding (or editing) a line in the /etc/modules.conf file, as follows:
options lockd nlm_udpport=4001 nlm_tcpport=4001
mountd (rpc.mountd): normally uses a random port allocated by portmapper. It is possible to configure a fixed port number by supplying the ?p?command line option when the program is launched. This can be done by editing the file /etc/sysconfig/network and adding the following line:
MOUNTD_PORT=4002
rquotad (rpc.quotad): if your system is not already running "quota" version 3.08 or later, download it from the linuxquota website. Remove the old version and install the new quota package:
tar zxvf quota-3.08.tar.gz
cd quota-tools
./configure
make
make install
cp rpc.rquotad /usr/sbin/
The step-by-step guide that follow is a summary of a very well done guide, that I suggest to read carefully, and it is referred to the server with RedHat 7.3. The same considerations apply to RedHat 8.0 and 9.0. To make it possible to configure a firewall that controls NFS, it is necessary to be able to "tie" down the ports used by these services to fixed values. In the following we suggest some fixed values, but of course you can use different numbers.
Portmapper (portmap): uses port 111 on both TCP and UDP protocols.
NFS daemon (rpc.nfsd): uses port 2049 on both TCP and UDP protocols.
Status (rpc.statd): normally uses a random port allocated by portmapper. It is possible to configure a fixed port number by supplying the "-p" command option when the program is launched. Edit the file /etc/init.d/nfslock, find the line "daemon rpc.statd" and add the option:
daemon rpc.statd -p 4000
NFS lock manager (rpc.lockd): normally uses a random port allocated by portmapper. On systems where the lock manager is implemented as a loadable module (RedHat 7.3 and greater, Mandrake 8.2 and greater) the port number used is set at module load time, and so is configured by adding (or editing) a line in the /etc/modules.conf file, as follows:
options lockd nlm_udpport=4001 nlm_tcpport=4001
mountd (rpc.mountd): normally uses a random port allocated by portmapper. It is possible to configure a fixed port number by supplying the ?p?command line option when the program is launched. This can be done by editing the file /etc/sysconfig/network and adding the following line:
MOUNTD_PORT=4002
rquotad (rpc.quotad): if your system is not already running "quota" version 3.08 or later, download it from the linuxquota website. Remove the old version and install the new quota package:
tar zxvf quota-3.08.tar.gz
cd quota-tools
./configure
make
make install
cp rpc.rquotad /usr/sbin/
Now edit the file /etc/rpc and check that the following line is present:
rquotad 100011 rquotaprog quota rquota
It should be there, but if isnt, then add it yourself. Finally edit the file /etc/services and add the following lines:
rquotad 4003/tcp
rquotad 4003/tcp
Note that you can happily use NFS without quotas, and in such case you can skip this point.
Now you have blocked the NFS services' port, and then a simple IPTABLES firewall might look like this:
iptables -A INPUT -f -j ACCEPT -s ip.pc.client
iptables -A INPUT -s ip.pc.client -d 0/0 4000:4003 -p 6 -j ACCEPT
iptables -A INPUT -s ip.pc.client -d 0/0 4000:4003 -p 17 -j ACCEPT
iptables -A INPUT -s ip.pc.client -d 0/0 2049 -p 17 -j ACCEPT
iptables -A INPUT -s ip.pc.client -d 0/0 2049 -p 6 -j ACCEPT
iptables -A INPUT -s ip.pc.client -d 0/0 111 -p 6 -j ACCEPT
iptables -A INPUT -s ip.pc.client -d 0/0 111 -p 17 -j ACCEPT
iptables -A INPUT -s 0/0 -d 0/0 -p 6 -j DENY --syn --log-level 5
iptables -A INPUT -s 0/0 -d 0/0 -p 17 -j DENY --log-level 5
With IPCHAINS the equivalent commands are:
ipchains -A input -f -j ACCEPT -s ip.pc.client
ipchains -A input -s ip.pc.client -d 0/0 4000:4003 -p 6 -j ACCEPT
ipchains -A input -s ip.pc.client -d 0/0 4000:4003 -p 17 -j ACCEPT
ipchains -A input -s ip.pc.client -d 0/0 2049 -p 17 -j ACCEPT
ipchains -A input -s ip.pc.client -d 0/0 2049 -p 6 -j ACCEPT
ipchains -A input -s ip.pc.client -d 0/0 111 -p 6 -j ACCEPT
ipchains -A input -s ip.pc.client -d 0/0 111 -p 17 -j ACCEPT
ipchains -A input -s 0/0 -d 0/0 -p 6 -j DENY -y -l
ipchains -A input -s 0/0 -d 0/0 -p 17 -j DENY -l
It is worth mentioning that NFS is not an encrypted protocol, and anyone on the same physical network could sniff the traffic and reassemble the information being passed back and forth.
相关阅读 更多 +
排行榜 更多 +
