/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! */ Because rpc services use different ports on every machine, which can even change when you reboot, I've written this little scriptlet that will figure out which ports mountd and other daemons are listening at and make ipchains rules for them. Other rpc services should be easy to add; I only use NFS, so that's what I needed. If you have a lax ruleset, you probably won't need this; my firewall has pretty strict access control, so this works quite well for me. Enjoy. Dan Debertin [EMAIL PROTECTED] #!/bin/sh # experimental script to awk out the ports that the nfs servers are listening at and make # ipchains rules for them. # the main problem is mountd. By convention, nfsd listens on udp port 2049, # and portmap on 111, so those shouldn't be a problem. tcpmountd=`netstat -a -p|awk '$1~/tcp/&&$NF~/mountd/{print $4}'|cut -c3-6` udpmountd=`netstat -a -p|awk '$1~/udp/&&$NF~/mountd/{print $4}'|cut -c3-6` # hard to predict what the last field in netstat output will be. $NF will # also be no. of last field, though. portmap=111 nfsd=2049 # any reasonably sane system will have nfsd at 2049. # Check your netstat -a -p output. servhost="your.server.ip.here" clihost="your.client.ip.here/mask" # unsure what the range of client ports for nfs is. tcpdump reports that # they start around 700, though. /sbin/ipchains -A input -j ACCEPT -s $clihost 700:1024 -d $servhost 111 -p udp /sbin/ipchains -A output -j ACCEPT -s $servhost 111 -d $clihost 700:1024 -p udp /sbin/ipchains -A input -j ACCEPT -s $clihost 700:1024 -d $servhost $tcpmountd -p tcp /sbin/ipchains -A output -j ACCEPT -s $servhost $tcpmountd -d $clihost 700:1024 -p tcp /sbin/ipchains -A input -j ACCEPT -s $clihost 700:1024 -d $servhost $udpmountd -p udp /sbin/ipchains -A output -j ACCEPT -s $servhost $udpmountd -d $clihost 700:1024 -p udp /sbin/ipchains -A input -j ACCEPT -s $clihost 700:1024 -d $servhost $nfsd -p udp /sbin/ipchains -A output -j ACCEPT -s $servhost $nfsd -d $clihost 700:1024 -p udp _______________________________________________ Masq maillist - [EMAIL PROTECTED] Admin requests can be handled at http://www.indyramp.com/masq-list/ or email to [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list.
