Hey folks, about 2 months ago I sent out a call for help on this list which, like most such calls I've made, was duly answered by a coule of folks, especially James S. Then my baby son was born, and we went away for a while, and when I came back home I rebooted all my machines, ended up losing a bunch of personal mail, and my carefully setup system no longer worked...
Goal: to set up an ssh-encrypted nfs which shares a directory on my work computer (call it nfs.server) and either or both of two computers at home (nfs.client). Method: as described in James Strandboge's excellent article, "Encrypted NFS with OpenSSH and Linux" http://linuxtoday.com/security/2002021301020SCSV . 1. set up /etc/exports: add this line: /home/matt/Personal 128.100.34.9(rw,insecure,root_squash) test it on the server: mount -t nfs 128.100.34.9:/home/matt /mnt/nfs --> works fine. 2. set up iptables. Add a file nfsforward.rul in /etc/ipmasq/rules: # cat nfsforward.rul # /sbin/iptables -A INPUT -i eth0 -p tcp -s mprice.dyndns.org --dport ssh -j ACCEPT # /sbin/iptables -A OUTPUT -o eth0 -p tcp --sport ssh -d mprice.dyndns.org -j ACCEPT # /sbin/iptables -A INPUT -i eth0 -p tcp -s mprice.dyndns.org --dport 111 -j ACCEPT # /sbin/iptables -A OUTPUT -o eth0 -p tcp --sport 111 -d mprice.dyndns.org -j ACCEPT # /sbin/iptables -A INPUT -i eth0 -p tcp -s $MATTSIP --dport ssh -j ACCEPT /sbin/iptables -A INPUT -i eth0 -p tcp -s $MATTSIP --dport ssh -j ACCEPT /sbin/iptables -A OUTPUT -o eth0 -p tcp -d $MATTSIP --sport ssh -j ACCEPT /sbin/iptables -A INPUT -i eth0 -p tcp -s $MATTSIP --dport 111 -j ACCEPT /sbin/iptables -A OUTPUT -o eth0 -p tcp --sport 111 -d $MATTSIP -j ACCEPT ... where $MATTSIP is passed to ipmasq whenever it's run (I have dns -- and if I replace $MATTSIP with an ip address, the situation doesn't change) 3. set up an ssh tunnel: firct check server's ports: rpcinfo -p 128.100.34.9: program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100024 1 udp 914 status 100024 1 tcp 917 status 100005 1 udp 810 mountd 100005 2 udp 810 mountd 100005 1 tcp 813 mountd 100005 2 tcp 813 mountd 100003 2 udp 2049 nfs 100003 2 tcp 2049 nfs ssh -f -c blowfish -L2818:128.100.34.9:2049 -L 3045:128.100.34.9:813 -l matt 128.100.34.9 /bin/sleep 86400 tried it with the -v switch enabled, didn't get any error messages, I assume thetunnel is really being set up. 4. try to mount the directory on nfs.client: # mount -t nfs -o tcp,port=2818,mountport=3045 128.100.34.9:/home/matt/Personal /mnt/nfs mount: RPC: Remote system error - Connection refused If I try to ssh and mountfrom nfs.server, I have the same problem, though as I mentioned earlier a straight up nfs mount on nfs.server works fine: mount -t nfs 128.100.34.9:/home/matt/Personal /mnt/nfs if I briefly disable iptables: nfs.server# /etc/init.d/iptables stop (I know, this is STUPID!!!!) and try to mount the directory from nfs.client, I get a slightly different error : nfs.client# mount -t nfs 128.100.34.9:/home.matt/Personal /mnt/nfs mount: 128.100.34.9:/home/matt failed, reason given by server: Permission denied I checked in hosts.allow and found both these listings (somewhat overbroad, but hopefully not too terrible for the moment): ALL: 128.100.34.9 localhost ALL: 67.68.52.40 so I don't think the problem is there. Question: where to look now? I feel like the problem's in the tunnel -- or at least, there is some kind of problem with the tunnel -- but I can't diagnose it myself. who can help?? thanks as ALWAYS, matt -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
