NFS connection fromAIX client to Linux server

70 views
Skip to first unread message

Jim Ramsey

unread,
Mar 9, 2009, 2:22:39 PM3/9/09
to Keith Whittington, Scott Satterfield, ryanc...@gmail.com, Everett Anderson
All,

I tripped over this strangeness and the solution.

I'm passing it around so that other will benefit. I posted
the answer on one of the ittoolbox.com lists.


I just now solved this problem and the answer is strange. My situation is AIX 5.3 wanting to NFS mount file systems on a CentOS 5.3 system.

From AIX the command "showmount -e linuxhost" would just hang. If that command won't work, then a mount won't either.

The problem is the redhat/RHEL firewall.

1. If you turn it off, suddenly the showmount works.

2. I did some digging by manually adding a command to /etc/sysconfig/iptables to cause logging of failed accesses something like this:

-A RH-Firewall-1-INPUT -s IPofAIXhost -j LOG --log-level DEBUG --log-prefix "JRjr IPT:"

start or restart iptables service and redo the showmount -e. The log shows and interest in ports 610 and 613 (both tcp).

Using system-config-securitylevel-tui, I added 610:tcp and 613:tcp to the custom list of permitted services.

That seems to make this all work.

I'm not sure, but I think the real problem is the line
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
in the firewall configuration.

Nobody on the linux side responds to ports 610 and 613, but the REJECT may be the issue.

Try it. ...

--


Regards,

Jim Ramsey


signature.asc

stevea

unread,
Mar 9, 2009, 3:31:14 PM3/9/09
to Jim Ramsey, Akron Linux Users Group
Actually Jim, I doubt you've accurately described this little mystery.
You description is confusing, but I assume AIX is the client an Centos
the server.

The showmount command (from Linux anyway) contacts the server
sunrpc port (111/tcp) to identify the port of the "mountd" service.
The showmount/client then connects to that port (via tcp, tho' that's
not necessary for NFSv2,NFSv3) and sends an NFS DUMP
command. The mound server replies with a list of clients mounting
the share.

The problem you are experiencing is because the Linux mountd server
is completely built into the kernel, so there is no service visible when
you type "netstat -ntlp" or i you type "lsof | grep IPv". If you take down
the firewall and map with nmap you'll see that the port really is open,
but there is no user-space daemon listening. The kernel is listening !

610 and 613 are not magic ports and I'm pretty certain the kernel will
choose differnet ports based on availability. It's always a low (<1024)
port. I have NFS servers using 894 and 818 today !

If you capture the network traffic with wireshark/ethereal that program
should show a successful tcp connection and the DUMP command
protocol from port 6xx.

I don't know how to setup a firewall to handle this problem (semi-random
tcp port assignment for mountd). I assume the redhat online admin manuals
can explain. Or perhaps Dave Egts has a firewall config solution.

-Steve

David Egts

unread,
Mar 9, 2009, 3:37:30 PM3/9/09
to stevea, Jim Ramsey, Akron Linux Users Group
Hi Jim, Steve, and all,

If you are using NFS v2 or v3 with a firewall, you want to explicitly
tell NFS to use particular ports and then tell iptables to allow those
ports.

By default, NFS will use the ports provided by portmap which may not
be the same every time. In other words, ports 610 and 613 may or may
not be the same ports portmap gives you on the next reboot.

Check this link out for more info:

http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/ch-sysconfig.html#s2-sysconfig-nfs

NFS v4 doesn't use portmap at all which is nice since you won't have
to worry about this since everything goes over port 2049. I'm not
sure offhand if AIX supports NFS v4 however.

As a best practice, I wouldn't recommend using
system-config-securitylevel to manage a firewall beyond the very
simplest of things. Instead, I'd prefer to specify the firewall rules
myself in /etc/sysconfig/iptables. Generally speaking, I'd set the
last rule to block everything. Then add a rule before that to log
what will be blocked. Then add rules before the log rule to accept
what you want. Here's another good reference...

http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/ch-iptables.html

Dave

Jim Ramsey

unread,
Mar 9, 2009, 4:27:12 PM3/9/09
to Akro...@googlegroups.com
Boy, did I blow that.

Ports 610 and 613 were, in fact, picked out of a hat.

I edited /etc/sysconfig/nfs and added
MOUNTD_PORT=610
STATD_PORT=613

and the entire behavior changed.

My very bad!

Regards,

Jim Ramsey

> --~--~---------~--~----~------------~-------~--~----~
> You received this message because you are subscribed to the Google Groups "Akron Linux Users Group" group.
> To post to this group, send email to Akro...@googlegroups.com
> To unsubscribe from this group, send email to AkronLUG+u...@googlegroups.com
> For more options, visit this group at http://groups.google.com/group/AkronLUG?hl=en
> -~----------~----~----~----~------~----~------~--~---
>
>
>


signature.asc
Reply all
Reply to author
Forward
0 new messages