Solved

RHEL5 kickstart iptables configuration

Posted on 2009-05-19
5
1,248 Views
Last Modified: 2013-12-16
I am trying to deploy several workstations via kickstart.
The media is exported via nfs on a RHEL5.3 server
If I turn off iptables on the server my kickstart installation works, however when I enable iptables on the server the clients show an error Error downloading kickstart file message.

I have set nfs to static ports and enabled these in the iptables. I can mount directories manually without problem via another linux box with iptables enabled on the server, however it fails when kickstart does an nfs mount. Kickstart nfs mount only works when iptables is disabled on the server.

What changes and ports need to be enabled in iptables?
0
Comment
Question by:1Tsupp
5 Comments
 
LVL 29

Expert Comment

by:Michael Worsham
ID: 24430508
On the NFS server, do the following: 'rpcinfo -p <server IP address>'. See which ports are being assigned to the NFS modules.

Restart nfs, run rpcinfo again and see if the the ports change. If so, then portmapper is still being used to control the ports.
0
 
LVL 34

Expert Comment

by:Duncan Roe
ID: 24430534
Kickstart uses tftp in the early stages, so you need to allow that.
Otherwise I suggest you log the packets you drop (e.g. with a logdrop chain as per attachment). That way, you will quickly learn what else you may need to open.
# A chain to log & drop a packet, except don't log FIN pkts
iptables -N logdrop
iptables -A logdrop -p tcp -m tcp --tcp-flags FIN FIN -j DROP
iptables -A logdrop -j LOG --log-level debug
iptables -A logdrop -j DROP

Open in new window

0
 

Accepted Solution

by:
1Tsupp earned 0 total points
ID: 24430587
Thanks, i'll try the logs if there any more problems but i've been able to fix it with the following iptables rules:

-A RH-Firewall-1-INPUT  -p udp -m udp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT  -p udp -m udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
-A RH-Firewall-1-INPUT  -m state --state NEW -p udp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT  -m state --state NEW -p tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT  -m state --state NEW -p tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT  -m state --state NEW -p udp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT  -m state --state NEW -p tcp --dport 32769 -j ACCEPT
-A RH-Firewall-1-INPUT  -m state --state NEW -p udp --dport 32769 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 892 -j ACCEPT
-A RH-Firewall-1-INPUT  -m state --state NEW -p udp --dport 892 -j ACCEPT
-A RH-Firewall-1-INPUT  -m state --state NEW -p tcp --dport 875 -j ACCEPT
-A RH-Firewall-1-INPUT  -m state --state NEW -p udp --dport 875 -j ACCEPT
-A RH-Firewall-1-INPUT  -m state --state NEW -p tcp --dport 662 -j ACCEPT
-A RH-Firewall-1-INPUT  -m state --state NEW -p udp --dport 662 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
AWS- KeepAlived notify script not working 23 103
PHP error function not working on AWS 10 69
Post Clonezilla image restore issue 6 32
LINUX Field Separators 7 34
Hello, As I have seen there a lot of requests regarding monitoring and reporting for exchange 2007 / 2010 / 2013 I have decided to post some thoughts together and link to articles that have helped me. Of course a lot of information you can get…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question