I have been having similar problems too but w/in NAT & IPTables i've had
the headnode lock up after a user logs in. I found a tread on the
netfilter list which said that there was a 'RPC connection tracking/NAT
helper'. so knowing this i implemented a firewall w/ IPChains and had the
following error when connecting to a Network Appliance filer:
root@node21 log]# mount filer:/home /home
mount: RPC: Authentication error; why = Client credential too weak
but for some odd reason I was able to get UDP NFS to work via IPChains NAT
to a Sun Solaris NFS share. I believe the NetApp box is having issues w/
the IPChains firewall attempting to make udp connections from a port
higher than 1024. I've also tried NFS over TCP w/ no luck.
Make sure that you can perform an 'rcpinfo -p <sun filer>' from your
compute nodes. If you can, then you should be able to talk 'nfs' w/ them.
I would also suggest running 'snoop' from your Sun server to see if any
traffic from your cluster is reaching it.
Matt - if you want my IPChains code please let me know.
Currently I don't have a solution to my problem, so if anyone is
interesting in tackling it too that would be great ;). I also have some
ascii art:
office floor | machine room
| ------------------------------------------
----- | | *CLUSTER* nfs+nis |
|filer| cat5 - | - | nfs + nis - ------- |
|(nfs)|--------|s| |s| | ----------- |s| cat5 | | |
----- |w|fibre|w|cat5 |(nfs & nat)| |w|------|eth0 | |
|i|-----|i|-----|eth1 | |i| ------- |
------ cat5 |t| |t| | | eth2|------|t| COMPUTE |
| nis |-------|c| | |c| | ----------- fibre |c| NODE |
|master| |h| | |h| | MANAGER |h| |
------ - | _ | *CLUSTER* _ |
| ------------------------------------------
office floor | machine room
-Mike
--
mike hanulec email: [EMAIL PROTECTED]
system manager, nyc office: 646.366.9555 x125
schrodinger, inc. cell: 516.410.4478
On Wed, 20 Mar 2002, Matthew Bohnsack wrote:
> I'm trying to get NFS working over NAT with iptables on a cluster that
> I'm currently working on. Security isn't really a huge concern. The
> main focus is functionality.... getting nodes on a private network to
> access NFS resources on a public network.
>
> The setup looks something like the following:
>
> +----------------+
> | Sun NFS Server |
> +----------------+
> | 10.0.0.1
> |
> | eth1 10.0.0.2
> +---------------------+
> | HeadNode / Firewall | (Linux 2.4)
> +---------------------+
> | eth0 192.168.1.254
> |
> -------------------------------------
> | |
> | 192.168.1.1 | 192.168.1.64
> +---------+ +--------+
> | node1 | (Linux) ... | node64 | (Linux)
> +---------+ +--------+
>
> The idea is that compute nodes (node1 - node64) will NFS mount exports
> that exist outside of the private cluster network (on 10.0.0.0 in my
> example).
>
> When compute nodes have a default route of 192.168.1.254 and the
> headnode/firewall has a simple iptables ruleset consisting of...
>
> iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
> or
> iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 192.168.1.254
>
> NAT (node1-64 accessing machines in the 10.0.0.2 network) works fine for
> stuff like ssh, telnet, http, etc., but attempts to do NFS give a RPC
> timeout error... "mount: RPC: Timed out"
>
> Has anyone here ever done this? I've heard reports of this working, but
> haven't been able to locate any good details. Its pretty clear that the
> RPC/portmap stuff associated with NFS is where my problems are coming
> from.
>
> Thanks for any pointers.
>
> -Matt
> --
> Matt Bohnsack <[EMAIL PROTECTED]>
> http://bohnsack.com/ http://x-cat.org/
> _______________________________________________
> xCAT-user mailing list
> [EMAIL PROTECTED]
> http://x-cat.org/mailman/listinfo/xcat-user
>
