* David Haller <dnh@opensuse.org> [04-24-14 02:51]:
Hello,
On Tue, 22 Apr 2014, Patrick Shanahan wrote:
From the server, 192.168.1.3 egrep 192.168.1.10.*111 /var/log/firewall
I notice that the failed attempts were when the client (.10) used priviledged ports (under 1024) as source-ports. When it worked, unpriviledged ports were used.
What "rules" are of interest and how to show them?
Those on both machines from:
iptables -vL input_int | egrep 'nfs|rpc'
server: 192.168.1.3 iptables: No chain/target/match by that name. client: 192.168.1.10 iptables: No chain/target/match by that name.
iptables -vL output_int | egrep 'nfs|rpc'
server: iptables: No chain/target/match by that name. client: iptables: No chain/target/match by that name.
iptables -vL input_ext | egrep 'nfs|rpc'
server: 0 0 LOG udp -- any any anywhere anywhere limit: avg 3/min burst 5 ctstate NEW udp dpt:sunrpc LOG level warning tcp-options ip-options prefix "SFW2-INext-ACC-RPC " 0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:sunrpc 0 0 LOG tcp -- any any anywhere anywhere limit: avg 3/min burst 5 ctstate NEW tcp dpt:sunrpc LOG level warning tcp-options ip-options prefix "SFW2-INext-ACC-RPC " 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:sunrpc 0 0 LOG udp -- any any anywhere anywhere limit: avg 3/min burst 5 ctstate NEW udp dpt:nfs LOG level warning tcp-options ip-options prefix "SFW2-INext-ACC-RPC " 0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:nfs 0 0 LOG tcp -- any any anywhere anywhere limit: avg 3/min burst 5 ctstate NEW tcp dpt:nfs LOG level warning tcp-options ip-options prefix "SFW2-INext-ACC-RPC " 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:nfs 0 0 LOG tcp -- any any anywhere anywhere limit: avg 3/min burst 5 ctstate NEW tcp dpt:nfs LOG level warning tcp-options ip-options prefix "SFW2-INext-ACC-RPC " 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:nfs client: 0 0 LOG udp -- any any anywhere anywhere ctstate NEW udp dpt:sunrpc LOG level warning tcp-options ip-options prefix "SFW2-INext-ACC-RPC " 0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:sunrpc 0 0 LOG tcp -- any any anywhere anywhere ctstate NEW tcp dpt:sunrpc LOG level warning tcp-options ip-options prefix "SFW2-INext-ACC-RPC " 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:sunrpc 0 0 LOG udp -- any any anywhere anywhere ctstate NEW udp dpt:nfs LOG level warning tcp-options ip-options prefix "SFW2-INext-ACC-RPC " 0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:nfs 0 0 LOG tcp -- any any anywhere anywhere ctstate NEW tcp dpt:nfs LOG level warning tcp-options ip-options prefix "SFW2-INext-ACC-RPC " 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:nfs 0 0 LOG tcp -- any any anywhere anywhere ctstate NEW tcp dpt:nfs LOG level warning tcp-options ip-options prefix "SFW2-INext-ACC-RPC " 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:nfs 0 0 LOG tcp -- any any anywhere anywhere ctstate NEW tcp dpt:nfs LOG level warning tcp-options ip-options prefix "SFW2-INext-ACC-RPC " 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:nfs
iptables -vL output_ext | egrep 'nfs|rpc'
server: 0 0 LOG udp -- any any anywhere anywhere limit: avg 3/min burst 5 ctstate NEW udp dpt:sunrpc LOG level warning tcp-options ip-options prefix "SFW2-INext-ACC-RPC " 0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:sunrpc 0 0 LOG tcp -- any any anywhere anywhere limit: avg 3/min burst 5 ctstate NEW tcp dpt:sunrpc LOG level warning tcp-options ip-options prefix "SFW2-INext-ACC-RPC " 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:sunrpc 0 0 LOG udp -- any any anywhere anywhere limit: avg 3/min burst 5 ctstate NEW udp dpt:nfs LOG level warning tcp-options ip-options prefix "SFW2-INext-ACC-RPC " 0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:nfs 0 0 LOG tcp -- any any anywhere anywhere limit: avg 3/min burst 5 ctstate NEW tcp dpt:nfs LOG level warning tcp-options ip-options prefix "SFW2-INext-ACC-RPC " 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:nfs 0 0 LOG tcp -- any any anywhere anywhere limit: avg 3/min burst 5 ctstate NEW tcp dpt:nfs LOG level warning tcp-options ip-options prefix "SFW2-INext-ACC-RPC " 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:nfs client: iptables: No chain/target/match by that name. -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://linuxcounter.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org