NFS Server + IP Tables

[rotorboy]

Greetings.

I've managed to get an NFS server to work with IPTables but there's ONE last thing I'd like to adjust if possible.

I'm limiting all NFS traffic to the local network. I have both IPTables and hosts.allow/deny set up so that if you're outside of 192.168.1.0/24 you're not able to connect.

The one thing that I'm not liking, is the only way to get IPTables and NFS server to be friendly is to disable this default line in iptables:

#-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

I've tried all sorts of rules to allow the ICMP traffic only from the local network, but everything seems to fail unless I disable this rule.

So what I'm hoping to find is whether or not #-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited is a critical and/or if there's a way to still use this but override it for local icmp traffic?

I've googled all morning with no luck. Everything that was suggested failed miserably.

Thanks!

[TrevorH]

Err, that looks suspiciously like the catch-all rule at the end of the file that rejects any traffic that hasn't already matched one of the allow rules. It isn't about controlling icmp traffic but rejecting anything that isn't already allowed with an icmp-host-prohibited message back to the source IP address. Disabling that probably just allows all traffic. Are you sure that you really need to wall off NFS traffic using iptables anyway? Isn't the security in /etc/exports enough

[code]
$ cat /etc/exports
/exports/directory 192.168.1.0/24(ro,async)
[/code]

Or if you must have iptables rules in place then [url=http://www.cyberciti.biz/faq/centos-fedora-rhel-iptables-open-nfs-server-ports/]here[/url] is a guide on how to do that. By default nfs uses dynamic ports so you have to fix them using those instructions and then use iptables rules that refer to those ports.