Good refinement to tighten things up.
On Fri, 2 Jul 2004, Tom Allison wrote:
> Ernest Johanson wrote:
> > Been following this thread and understand that the goal is to configure a
> > firewall to control access to the ports used for NFS. If so, then suggest
> > the following:
> >
> > #!/bin/sh
> >
> > NFSPORTS=`rpcinfo -p | awk '/tcp/||/udp/ {print $4}' | sort | uniq`
> > for PORT_NUM in $NFSPORTS
> > do
> >
> > iptables -A INPUT -j <target> -s <srcip> -p <tcp|udp> --dport $PORT_NUM
> > ...
> > done
> >
> >
>
>
> # NFS
> # First you open up the RPC port
> iptables -A INPUT -i $IFACE -p udp -s $LAN --sport $LO_PORTS \
> -d $IF_ADDRESS --dport sunrpc -m state --state NEW \
> -j ACCEPT
> iptables -A INPUT -i $IFACE -p tcp -s $LAN --sport $LO_PORTS \
> -d $IF_ADDRESS --dport sunrpc -m state --state NEW \
> -j ACCEPT
>
> # Since rpc is so varied and large in it's ports I thought
> # It easiest to just capture them all there and scroll throue
> # the list. One for TCP, one for UDP
> TCP=`rpcinfo -p | grep "3 tcp" | awk '{print $4}' | sort | uniq`
> for P in $TCP; do
> iptables -A INPUT -i $IFACE -p tcp -s $LAN --sport $LO_PORTS \
> -d $IF_ADDRESS --dport $P -m state --state NEW \
> -j ACCEPT
> done
>
> UDP=`rpcinfo -p | grep "3 udp" | awk '{print $4}' | sort | uniq`
> for P in $UDP; do
> iptables -A INPUT -i $IFACE -p udp -s $LAN --sport $LO_PORTS \
> -d $IF_ADDRESS --dport $P -m state --state NEW \
> -j ACCEPT
> done
>
Ernest Johanson
Systems Administrator
Fuller Theological Seminary
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
