Re: [CentOS] portmap/NIS mystery
Boris Epstein wrote: Hello all, I have a server on my private network that is configured as an NIS server and mapped to a public IP address on a firewall. All other TCP ports (SSH, iperf, you name it) are visible from the outside - but the portmapper-managed ports (port 111 itself and the YPSERV/YPXFRD ports, etc.) are not visible from the outside - even though they are alive and well on the internal network. So, here's the question: is there anything special as far as portmapper's networking/security setup that is at play here? Is it open to the correct destination in iptables? mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] portmap/NIS mystery
On Thu, May 31, 2012 at 5:08 PM, m.r...@5-cent.us wrote: Boris Epstein wrote: Hello all, I have a server on my private network that is configured as an NIS server and mapped to a public IP address on a firewall. All other TCP ports (SSH, iperf, you name it) are visible from the outside - but the portmapper-managed ports (port 111 itself and the YPSERV/YPXFRD ports, etc.) are not visible from the outside - even though they are alive and well on the internal network. So, here's the question: is there anything special as far as portmapper's networking/security setup that is at play here? Is it open to the correct destination in iptables? mark ___ I believe so. Basically, iptables is set to forward any and all traffic arriving on an external public IP to the internal private one. For multiple ports it seems to work fine. I use the same approach to forward NFS mounts to a private NFS server on the same private network - and that works like a charm which actually makes it even more mysterious, IMO. Boris. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] portmap/NIS mystery
On Thu, 31 May 2012, Boris Epstein wrote: On Thu, May 31, 2012 at 5:08 PM, m.r...@5-cent.us wrote: Boris Epstein wrote: Hello all, I have a server on my private network that is configured as an NIS server and mapped to a public IP address on a firewall. All other TCP ports (SSH, iperf, you name it) are visible from the outside - but the portmapper-managed ports (port 111 itself and the YPSERV/YPXFRD ports, etc.) are not visible from the outside - even though they are alive and well on the internal network. So, here's the question: is there anything special as far as portmapper's networking/security setup that is at play here? Is it open to the correct destination in iptables? I believe so. Basically, iptables is set to forward any and all traffic arriving on an external public IP to the internal private one. For multiple ports it seems to work fine. I use the same approach to forward NFS mounts to a private NFS server on the same private network - and that works like a charm which actually makes it even more mysterious, IMO. I'll note that access to portmap can be manipulated via /etc/hosts.{allow,deny}, just in case that's an issue here. -- Paul Heinlein heinl...@madboa.com 45°38' N, 122°6' W___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] portmap/NIS mystery
On Thu, May 31, 2012 at 5:27 PM, Paul Heinlein heinl...@madboa.com wrote: On Thu, 31 May 2012, Boris Epstein wrote: On Thu, May 31, 2012 at 5:08 PM, m.r...@5-cent.us wrote: Boris Epstein wrote: Hello all, I have a server on my private network that is configured as an NIS server and mapped to a public IP address on a firewall. All other TCP ports (SSH, iperf, you name it) are visible from the outside - but the portmapper-managed ports (port 111 itself and the YPSERV/YPXFRD ports, etc.) are not visible from the outside - even though they are alive and well on the internal network. So, here's the question: is there anything special as far as portmapper's networking/security setup that is at play here? Is it open to the correct destination in iptables? I believe so. Basically, iptables is set to forward any and all traffic arriving on an external public IP to the internal private one. For multiple ports it seems to work fine. I use the same approach to forward NFS mounts to a private NFS server on the same private network - and that works like a charm which actually makes it even more mysterious, IMO. I'll note that access to portmap can be manipulated via /etc/hosts.{allow,deny}, just in case that's an issue here. -- Paul Heinlein heinl...@madboa.com 45°38' N, 122°6' W ___ Paul, Thanks. I thought the same thing. I have two CentOS 6.2 machines, hosts.allow and hosts.deny are blank on both, both get redirected traffic via the firewall in the same fashion. Yet you can connect to one on port 111 (RPC mapper) from the outside but not to the other! Boris. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos