nfs/ssh woes

From: Matt Price (matt.price_at_utoronto.ca)
Date: 08/27/03

  • Next message: Matt Price: "Re: start program in ssh command line?" 
    Date: Wed, 27 Aug 2003 00:25:53 -0400
To: debian users <debian-user@lists.debian.org>

    Hey folks,

    about 2 months ago I sent out a call for help on this list which, like
    most such calls I've made, was duly answered by a coule of folks,
    especially James S. Then my baby son was born, and we went away for a
    while, and when I came back home I rebooted all my machines, ended up
    losing a bunch of personal mail, and my carefully setup system no
    longer worked...

    Goal: to set up an ssh-encrypted nfs which shares a directory on my
    work computer (call it nfs.server) and either or both of two computers
    at home (nfs.client).

    Method: as described in James Strandboge's excellent article,
    "Encrypted NFS with OpenSSH and Linux"
    http://linuxtoday.com/security/2002021301020SCSV .

    1. set up /etc/exports:

    add this line:
    /home/matt/Personal 128.100.34.9(rw,insecure,root_squash)

    test it on the server:
    mount -t nfs 128.100.34.9:/home/matt /mnt/nfs
    --> works fine.

    2. set up iptables. Add a file nfsforward.rul in /etc/ipmasq/rules:
    # cat nfsforward.rul
    # /sbin/iptables -A INPUT -i eth0 -p tcp -s mprice.dyndns.org --dport ssh -j ACCEPT
    # /sbin/iptables -A OUTPUT -o eth0 -p tcp --sport ssh -d mprice.dyndns.org -j ACCEPT
    # /sbin/iptables -A INPUT -i eth0 -p tcp -s mprice.dyndns.org --dport 111 -j ACCEPT
    # /sbin/iptables -A OUTPUT -o eth0 -p tcp --sport 111 -d mprice.dyndns.org -j ACCEPT

    # /sbin/iptables -A INPUT -i eth0 -p tcp -s $MATTSIP --dport ssh -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p tcp -s $MATTSIP --dport ssh -j ACCEPT
    /sbin/iptables -A OUTPUT -o eth0 -p tcp -d $MATTSIP --sport ssh -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p tcp -s $MATTSIP --dport 111 -j ACCEPT
    /sbin/iptables -A OUTPUT -o eth0 -p tcp --sport 111 -d $MATTSIP -j ACCEPT

    ... where $MATTSIP is passed to ipmasq whenever it's run (I have dns
    -- and if I replace $MATTSIP with an ip address, the situation doesn't
    change)

    3. set up an ssh tunnel:
    firct check server's ports:

    rpcinfo -p 128.100.34.9:
       program vers proto port
        100000 2 tcp 111 portmapper
        100000 2 udp 111 portmapper
        100024 1 udp 914 status
        100024 1 tcp 917 status
        100005 1 udp 810 mountd
        100005 2 udp 810 mountd
        100005 1 tcp 813 mountd
        100005 2 tcp 813 mountd
        100003 2 udp 2049 nfs
        100003 2 tcp 2049 nfs

    ssh -f -c blowfish -L2818:128.100.34.9:2049 -L 3045:128.100.34.9:813 -l matt 128.100.34.9 /bin/sleep 86400

    tried it with the -v switch enabled, didn't get any error messages, I
    assume thetunnel is really being set up.

    4. try to mount the directory on nfs.client:
    # mount -t nfs -o tcp,port=2818,mountport=3045 128.100.34.9:/home/matt/Personal /mnt/nfs
    mount: RPC: Remote system error - Connection refused

    If I try to ssh and mountfrom nfs.server, I have the same problem,
    though as I mentioned earlier a straight up nfs mount on nfs.server
    works fine:

    mount -t nfs 128.100.34.9:/home/matt/Personal /mnt/nfs

    if I briefly disable iptables:

    nfs.server# /etc/init.d/iptables stop (I know, this is STUPID!!!!)
    and try to mount the directory from nfs.client, I get a slightly
    different error :

    nfs.client# mount -t nfs 128.100.34.9:/home.matt/Personal /mnt/nfs
    mount: 128.100.34.9:/home/matt failed, reason given by server: Permission denied

    I checked in hosts.allow and found both these listings (somewhat
    overbroad, but hopefully not too terrible for the moment):

    ALL: 128.100.34.9 localhost
    ALL: 67.68.52.40

    so I don't think the problem is there.

    Question: where to look now? I feel like the problem's in the tunnel
    -- or at least, there is some kind of problem with the tunnel -- but I
    can't diagnose it myself. who can help??

    thanks as ALWAYS,
    matt 

    -- 
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
  • Next message: Matt Price: "Re: start program in ssh command line?"

    Relevant Pages

    • SuSE 10.0 NFS vs. Firewall
      ... I am attempting to get NFS working; both client and server are running ... 3/min burst 5 LOG level warning tcp-options ip-options prefix ... 3/min burst 5 state NEW udp dpt:sunrpc LOG level warning tcp-options ... 3/min burst 5 state NEW tcp dpt:sunrpc LOG level warning tcp-options ...
      (alt.os.linux.suse)
    • Re: Firewall problems with NFS
      ... It seems to only allow use as an NFS client, since that worked fine when I tested it. ... U was surprised to see that TCP with tcp_adv_win_size=5 and rsize=8192 was as fast as UDP, ... 100005 1 udp 841 mountd ...
      (Fedora)
    • Trying to get NFS working with FreeBSD & OS X
      ... NFS client on a Mac OS X box. ... 100000 4 tcp 111 portmapper ... 100000 4 udp 111 portmapper ... 100021 0 udp 617 nlockmgr ...
      (comp.unix.bsd.freebsd.misc)
    • Trouble making NFS work with Mac OS X
      ... NFS client on a Mac OS X box. ... 100000 4 tcp 111 portmapper ... 100000 4 udp 111 portmapper ... 100021 0 udp 617 nlockmgr ...
      (freebsd-net)
    • NFS Problems
      ... Indigo2 machine in network w/ FreeBSD, both configured for nfs server/client functions, and "nfsd" daemon running on both. ... FreeBSD machine mounts IRIX disks OK, but Indigo2 does not mount FreeBSD disks. ... 100000 2 tcp 111 portmapper ... 100000 2 udp 111 portmapper ...
      (freebsd-hackers)