Solved

RHEL5 kickstart iptables configuration

Posted on 2009-05-19
5
1,238 Views
Last Modified: 2013-12-16
I am trying to deploy several workstations via kickstart.
The media is exported via nfs on a RHEL5.3 server
If I turn off iptables on the server my kickstart installation works, however when I enable iptables on the server the clients show an error Error downloading kickstart file message.

I have set nfs to static ports and enabled these in the iptables. I can mount directories manually without problem via another linux box with iptables enabled on the server, however it fails when kickstart does an nfs mount. Kickstart nfs mount only works when iptables is disabled on the server.

What changes and ports need to be enabled in iptables?
0
Comment
Question by:1Tsupp
5 Comments
 
LVL 29

Expert Comment

by:Michael W
Comment Utility
On the NFS server, do the following: 'rpcinfo -p <server IP address>'. See which ports are being assigned to the NFS modules.

Restart nfs, run rpcinfo again and see if the the ports change. If so, then portmapper is still being used to control the ports.
0
 
LVL 34

Expert Comment

by:Duncan Roe
Comment Utility
Kickstart uses tftp in the early stages, so you need to allow that.
Otherwise I suggest you log the packets you drop (e.g. with a logdrop chain as per attachment). That way, you will quickly learn what else you may need to open.
# A chain to log & drop a packet, except don't log FIN pkts

iptables -N logdrop

iptables -A logdrop -p tcp -m tcp --tcp-flags FIN FIN -j DROP

iptables -A logdrop -j LOG --log-level debug

iptables -A logdrop -j DROP

Open in new window

0
 

Accepted Solution

by:
1Tsupp earned 0 total points
Comment Utility
Thanks, i'll try the logs if there any more problems but i've been able to fix it with the following iptables rules:

-A RH-Firewall-1-INPUT  -p udp -m udp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT  -p udp -m udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
-A RH-Firewall-1-INPUT  -m state --state NEW -p udp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT  -m state --state NEW -p tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT  -m state --state NEW -p tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT  -m state --state NEW -p udp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT  -m state --state NEW -p tcp --dport 32769 -j ACCEPT
-A RH-Firewall-1-INPUT  -m state --state NEW -p udp --dport 32769 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 892 -j ACCEPT
-A RH-Firewall-1-INPUT  -m state --state NEW -p udp --dport 892 -j ACCEPT
-A RH-Firewall-1-INPUT  -m state --state NEW -p tcp --dport 875 -j ACCEPT
-A RH-Firewall-1-INPUT  -m state --state NEW -p udp --dport 875 -j ACCEPT
-A RH-Firewall-1-INPUT  -m state --state NEW -p tcp --dport 662 -j ACCEPT
-A RH-Firewall-1-INPUT  -m state --state NEW -p udp --dport 662 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Setting up Secure Ubuntu server on VMware 1.      Insert the Ubuntu Server distribution CD or attach the ISO of the CD which is in the “Datastore”. Note that it is important to install the x64 edition on servers, not the X86 editions. 2.      Power on th…
This article will explain how to establish a SSH connection to Ubuntu through the firewall and using a different port other then 22. I have set up a Ubuntu virtual machine in Virtualbox and I am running a Windows 7 workstation. From the Ubuntu vi…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now