Re: nfs through dsl router
James, Bob, and others,
thanks for your help. sorry to take so long getting back (see below
for explanation!)
On Sat, Jun 21, 2003 at 12:24:05AM -0400, James Strandboge wrote:
> >
> Ouch. You may already be hacked.
jeez, guys, it was only up for about 5 minutes -- I'm not THAT stupid (though
I can be pretty dumb if left to my own devices)
>
> The ports are portmap and whatever is listed with 'rpcinfo -p'.
thanks. I think I understand (though I don't see how to get information using portmap.)
>
> But please don't do this at all-- you are opening yourself up to a whole
> bunch of problems.
do you mean, don't do NFS via ssh either?
> I'd recommend scp.
scp is very cool, thanks for the recommendation.
> If you must have nfs, it is possible to use nfs with
> ssh. See:
>
> http://www.samag.com/documents/s=4072/sam0203d/sam0203d.htm
this is a great article, James, thanks for writing it and pointing me
to it.
Unfortunately, even with directions as explicit and clear as yours, I
couldn't get NFS over SSH to work for me. I think the issue is part
denseness, part the result of working around my home router, and not
understanding port forwarding very well; and at least a small part is
a little harder to explain.
Hope folks don't mind if I go through James' article step by step.
SERVER CONFIGURATION
1) setting up /etc/exports
no problem. added this line:
#trying to do ssh tunnelling
/home/matt/Projects 128.100.34.9(ro,insecure,root_squash)
2) edit nfs init script
...er... that didn't go so well! it was easy to get nfs to
stop and kill sshd before working, by adding the lines:
/etc/init.d/ssh stop
killall sshd
at the beginning of the script
but no matter where I put the restart command:
/etc/init.d/ssh restart
I couldn't get sshd to start back up again. James, do you have a copy
of a working /etc/init.d/nfs-user-server that starts ssh and then
restarts it? I think I don't fully understand the bash syntax (sorry
for my ignorance).
(this is part of the reason I've taken so long replying -- I couldn't
log in to my work account and my email environment for two days!).
3. setup iptables (in my case using ipmasq)
had a little trouble here specifying the address of my client (home)
machine, which is set dynamically by pppoe. Finally realized that I
couldn't do as I'd planned and enter my dyndns domain name, since it
can't be determined without DNS, and iptables really didn't want to
let me use dns. I'm wondering if this can somehow be done with a
script -- run a cron job every five minutes that checks the IP adress
of my dyndns.org domain, exports the value as a variable, which is
then read by iptables/ipmasq. Does that sound like it would work?
Anyone know a tool that just returns an IP address?
For now I just entered my current IP, which works fine.
CLIENT CONFIGURATION
1. get server's ports
no problem. here's the current output:
matts-mac:~# rpcinfo -p 128.100.34.9
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 865 status
100024 1 tcp 868 status
100003 2 udp 2049 nfs
100003 2 tcp 2049 nfs
100005 1 udp 986 mountd
100005 2 udp 986 mountd
100005 1 tcp 989 mountd
100005 2 tcp 989 mountd
2. set up tunnel
this usually works,with a command like this:
ssh -f -c blowfish -L 2820:128.100.34.9:2049 -L 3047:128.100.34.9:989 -l matt 128.100.34.9 /bin/sleep 86400
right now I seem to have broken the networking on my home computer
(see separate post, to follow) but I expect this part will work
eventually.
3. mount the nfs volume... ... this always fails catastrophically.
In particular, I never seem to be able to open up the requisite ports
on the client end. I suspect this has something to do with the home
network. Now, on my router (an SMC Barricade, with a web-only
interface) I don'th ave tons of options. I can forward individual
port directly from the router to the home computer; or I can put the
home computer in a DMZ. Will either of these strategies work? what
further information can I provide to help with diagnosis?
whew. Thanks for the help you've already given, and thanks for help
in solving my current conundrum. best,
Matt
Reply to: