experchange > linux.misc

The Natural Philosopher (12-01-18, 05:24 PM)
I have two Virtual private servers out there somewhere on the Internet.
T| manage them I mount various directories on my local PC via a NAT router

Yesterday I replaced my old one with a new Draytek 2762

Now I cant mount either one from inside my NAT network. I can cross
mount them one upon the other OK, so there is no issue with the servers
themselves.

Has to be a router setting, but I cannot see what.

Any ideas?
Robert Heller (12-01-18, 05:54 PM)
Look at the router's firewall settings. You need ports 2049/tcp and/or
2049/udp (nfsd), possibly ports 111/tcp and/or 111/udp (sunrpc), and maybe
875/tcp and/or 875/udp (rquotad) open (at least for the Virtual private
servers' IP addresses). By default firewalls usually block these ports.

At Sat, 1 Dec 2018 15:24:15 +0000 The Natural Philosopher <tnp> wrote:
[..]
The Natural Philosopher (12-01-18, 08:26 PM)
On 01/12/2018 15:54, Robert Heller wrote:
> Look at the router's firewall settings. You need ports 2049/tcp and/or
> 2049/udp (nfsd), possibly ports 111/tcp and/or 111/udp (sunrpc), and maybe
> 875/tcp and/or 875/udp (rquotad) open (at least for the Virtual private
> servers' IP addresses). By default firewalls usually block these ports.


I've opened up ALL ports so that there is no firewall allegedly between
my LAN and these machines.

At each end its a 'pass everything' statement

No joy.
[..]
The Natural Philosopher (12-01-18, 08:37 PM)
On 01/12/2018 15:54, Robert Heller wrote:
> Look at the router's firewall settings. You need ports 2049/tcp and/or
> 2049/udp (nfsd), possibly ports 111/tcp and/or 111/udp (sunrpc), and maybe
> 875/tcp and/or 875/udp (rquotad) open (at least for the Virtual private
> servers' IP addresses). By default firewalls usually block these ports.


I can telnet to the first two ports tcp wise

The third (875) gives me connection refused. But it does that from a
host that can mount the exports as well

Onwards and downwards
Andreas Kohlbach (12-01-18, 10:11 PM)
On Sat, 1 Dec 2018 18:37:24 +0000, The Natural Philosopher wrote:
> On 01/12/2018 15:54, Robert Heller wrote:
> I can telnet to the first two ports tcp wise
> The third (875) gives me connection refused. But it does that from a
> host that can mount the exports as well
> Onwards and downwards


Have a port scanner like nmap installed?

Assuming it's port 2049 try

nmap -p 2049 1.2.3.4

with 1.2.3.4 being the IP of the machine to scan.
Robert Heller (12-01-18, 10:33 PM)
At Sat, 1 Dec 2018 18:37:24 +0000 The Natural Philosopher <tnp> wrote:

> On 01/12/2018 15:54, Robert Heller wrote:
> > Look at the router's firewall settings. You need ports 2049/tcp and/or
> > 2049/udp (nfsd), possibly ports 111/tcp and/or 111/udp (sunrpc), and maybe
> > 875/tcp and/or 875/udp (rquotad) open (at least for the Virtual private
> > servers' IP addresses). By default firewalls usually block these ports.

> I can telnet to the first two ports tcp wise


What about udp? Are the servers setup to accept these connections on *tcp*.
Normally nfs uses udp (at least traditionally).

> The third (875) gives me connection refused. But it does that from a
> host that can mount the exports as well


The third port (875) might not be needed -- it relates to disk quotas.

Note: these must be *outbound* from your NAT network, not inbound. Check to
see if there is an *outbound* firewall. *Some* routers implement an
*outbound* firewall -- not all do (there is questionable reason to do so,
unless you want to impose "parental/big brother" type of control.
Aragorn (12-01-18, 11:02 PM)
On Sat, 01 Dec 2018 14:33:58 -0600, Robert Heller wrote:

> At Sat, 1 Dec 2018 18:37:24 +0000 The Natural Philosopher
> <tnp> wrote:
> What about udp? Are the servers setup to accept these connections on
> *tcp*.
> Normally nfs uses udp (at least traditionally).


Up until NFSv3, that was the case, yes, but NFSv4 supports both UDP and
TCP. ;)
Pascal Hambourg (12-02-18, 10:39 AM)
Le 01/12/2018 à 19:37, The Natural Philosopher a écrit :
> On 01/12/2018 15:54, Robert Heller wrote:
> I can telnet to the first two ports tcp wise


In order to investigate, you can run a packet tracer at both ends and
compare the traces.

match : remote address and not SSH port.
The Natural Philosopher (12-02-18, 11:32 AM)
On 01/12/2018 20:11, Andreas Kohlbach wrote:
> nmap -p 2049 1.2.3.4


That works OK.

And indeed I can telnet to te ports. Its possibly te reverse direction
that is the issue..
The Natural Philosopher (12-02-18, 11:35 AM)
On 01/12/2018 20:33, Robert Heller wrote:
> At Sat, 1 Dec 2018 18:37:24 +0000 The Natural Philosopher <tnp> wrote:
> What about udp? Are the servers setup to accept these connections on *tcp*.
> Normally nfs uses udp (at least traditionally).
> The third port (875) might not be needed -- it relates to disk quotas.
> Note: these must be *outbound* from your NAT network, not inbound. Check to
> see if there is an *outbound* firewall. *Some* routers implement an
> *outbound* firewall -- not all do (there is questionable reason to do so,
> unless you want to impose "parental/big brother" type of control. I am pretty certain I have switched off anything that looks suspcet.


There is a delay before the 'server refused connection' message that
suggests, that a response is being blocked, but not the initial one, as
it seems to know a server is in fact there....

It reminds me of the old FTP days ...where the back channel could not be
opened.

Does anyone know a typical sequence of port exchanges that characterise
and NFS mount process?

Or how to check UDP access?
The Natural Philosopher (12-02-18, 11:36 AM)
On 01/12/2018 21:02, Aragorn wrote:
[..]
The Natural Philosopher (12-02-18, 11:37 AM)
On 02/12/2018 08:39, Pascal Hambourg wrote:
> Le 01/12/2018 à 19:37, The Natural Philosopher a écrit :
> In order to investigate, you can run a packet tracer at both ends and
> compare the traces.


My god. Long time since I did that. Can you give me some pointers?

Last time I did that was back in the 1990s...
Michael Bäuerle (12-02-18, 12:19 PM)
Aragorn wrote:
> On Sat, 01 Dec 2018 14:33:58 -0600, Robert Heller wrote:
> Up until NFSv3, that was the case, yes, but NFSv4 supports both UDP and
> TCP. ;)


Adding the "tcp" mount option should be sufficient for older NFS
versions. Example for NFSv3:
|
| # mount
| [...]
| Server:/svr/pub on /mnt/Server_pub type nfs (rw,relatime,vers=3,rsize=32768,wsize=32768,namlen =255,hard,proto=tcp,timeo=600,rerans=2,sec=sys,mou ntaddr=192.168.10.2,mountvers=3,mountport=49206,mo untproto=tcp,local_lock=none,addr=192.168.10.2)
^^^ ^^^^^^ ^^^^^^^^^

Even this decades old machine offers TCP for NFSv2:
|
| # rpcinfo -p OldMachine
| program vers proto port service
| 100000 2 tcp 111 portmapper
| 100000 2 udp 111 portmapper
| 545580417 1 udp 668 ugidd
| 545580417 1 tcp 670 ugidd
| 100005 1 udp 608 mountd
| 100005 2 udp 608 mountd
| 100005 1 tcp 611 mountd
| 100005 2 tcp 611 mountd
| 100003 2 udp 2049 nfs
| 100003 2 tcp 2049 nfs
The Natural Philosopher (12-02-18, 12:27 PM)
On 02/12/2018 10:19, Michael Bäuerle wrote:
> Aragorn wrote:
> Adding the "tcp" mount option should be sufficient for older NFS
> versions. Example for NFSv3:

# mount -t nfs -o proto=tcp vps1.xxx.co.uk:/home/xxx /mnt
mount.nfs: access denied by server while mounting vps1.xxx.co.uk:/home/xxx

:(
[..]
Pascal Hambourg (12-02-18, 05:37 PM)
Le 02/12/2018 à 10:37, The Natural Philosopher a écrit :
> On 02/12/2018 08:39, Pascal Hambourg wrote:
>> In order to investigate, you can run a packet tracer at both ends and
>> compare the traces.

> My god. Long time since I did that. Can you give me some pointers? (...)
>> match : remote address and not SSH port.


tcpdump -ni $Interface host $RemotePublicAddress and not port $SshPort

Interface = network interface towards internet
RemotePublicAddress = public IP address of the other party
SshPort = port used for the current SSH connection

The purpose of the last two options is to filter out noise.