Solved

RHEL5 kickstart iptables configuration

Posted on 2009-05-19
5
1,245 Views
Last Modified: 2013-12-16
I am trying to deploy several workstations via kickstart.
The media is exported via nfs on a RHEL5.3 server
If I turn off iptables on the server my kickstart installation works, however when I enable iptables on the server the clients show an error Error downloading kickstart file message.

I have set nfs to static ports and enabled these in the iptables. I can mount directories manually without problem via another linux box with iptables enabled on the server, however it fails when kickstart does an nfs mount. Kickstart nfs mount only works when iptables is disabled on the server.

What changes and ports need to be enabled in iptables?
0
Comment
Question by:1Tsupp
5 Comments
 
LVL 29

Expert Comment

by:Michael W
ID: 24430508
On the NFS server, do the following: 'rpcinfo -p <server IP address>'. See which ports are being assigned to the NFS modules.

Restart nfs, run rpcinfo again and see if the the ports change. If so, then portmapper is still being used to control the ports.
0
 
LVL 34

Expert Comment

by:Duncan Roe
ID: 24430534
Kickstart uses tftp in the early stages, so you need to allow that.
Otherwise I suggest you log the packets you drop (e.g. with a logdrop chain as per attachment). That way, you will quickly learn what else you may need to open.
# A chain to log & drop a packet, except don't log FIN pkts
iptables -N logdrop
iptables -A logdrop -p tcp -m tcp --tcp-flags FIN FIN -j DROP
iptables -A logdrop -j LOG --log-level debug
iptables -A logdrop -j DROP

Open in new window

0
 

Accepted Solution

by:
1Tsupp earned 0 total points
ID: 24430587
Thanks, i'll try the logs if there any more problems but i've been able to fix it with the following iptables rules:

-A RH-Firewall-1-INPUT  -p udp -m udp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT  -p udp -m udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
-A RH-Firewall-1-INPUT  -m state --state NEW -p udp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT  -m state --state NEW -p tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT  -m state --state NEW -p tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT  -m state --state NEW -p udp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT  -m state --state NEW -p tcp --dport 32769 -j ACCEPT
-A RH-Firewall-1-INPUT  -m state --state NEW -p udp --dport 32769 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 892 -j ACCEPT
-A RH-Firewall-1-INPUT  -m state --state NEW -p udp --dport 892 -j ACCEPT
-A RH-Firewall-1-INPUT  -m state --state NEW -p tcp --dport 875 -j ACCEPT
-A RH-Firewall-1-INPUT  -m state --state NEW -p udp --dport 875 -j ACCEPT
-A RH-Firewall-1-INPUT  -m state --state NEW -p tcp --dport 662 -j ACCEPT
-A RH-Firewall-1-INPUT  -m state --state NEW -p udp --dport 662 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
The purpose of this article is to show how we can create Linux Mint virtual machine using Oracle Virtual Box. To install Linux Mint we have to download the ISO file from its website i.e. http://www.linuxmint.com. Once you open the link you will see …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

815 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now