Re: NFS and iptables during bootup

To: tomh0665@gmail.com, recoverym4n@gmail.com
Cc: debian-user@lists.debian.org
Subject: Re: NFS and iptables during bootup
From: Martin T <m4rtntns@gmail.com>
Date: Fri, 8 Aug 2014 18:47:58 +0300
Message-id: <[🔎] CAJx5YvEZhv7W6eH17XZFTMD5wGVU_+eBcM1DeW9612j4=NQh0Q@mail.gmail.com>
In-reply-to: <[🔎] CAOdo=SxTVDSBNc6k7sSaVOq-eM_b7uEkzGDZph_sjXtkqYN58A@mail.gmail.com>
References: <[🔎] CAJx5YvGkTc0eZ_XHXaGrtQB5pvy09Bx12UT65Ko5kdeAuPPdwQ@mail.gmail.com> <[🔎] CAOdo=SxTVDSBNc6k7sSaVOq-eM_b7uEkzGDZph_sjXtkqYN58A@mail.gmail.com>

Reco,

I moved the script from /etc/init.d to /etc/network directory and
changed the shebang line from /bin/bash to /bin/sh. /bin/sh on my
system points to /bin/dash. Thanks for those tips!

Content of firewall rule-files can be seen here:

# cat /etc/firewall.conf /etc/firewall6.conf
# Generated by iptables-save v1.4.8 on Tue Jul  1 10:41:45 2014
*filter
:INPUT DROP [17:1605]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [259:30520]
-A INPUT -s 10.10.10.0/24 -j ACCEPT
-A INPUT -s 8.8.8.8/32 -j ACCEPT
-A INPUT -s 8.8.4.4/32 -j ACCEPT
COMMIT
# Completed on Tue Jul  1 10:41:45 2014
# Generated by ip6tables-save v1.4.8 on Tue Jul  1 10:41:56 2014
*filter
:INPUT DROP [10518:992304]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
COMMIT
# Completed on Tue Jul  1 10:41:56 2014
#

If I comment out just the "iptables-restore .." line from
firewall-script and leave the "ip6tables-restore .." line uncommented,
the machine also boots without problems, i.e. it's the IPv4 iptables
rules which seem to cause the statd to fail. I modified the IPv4
rules(/etc/firewall.conf file) in a following manner:

# cat /etc/firewall.conf
# Generated by iptables-save v1.4.8 on Fri Aug  8 17:08:22 2014
*filter
:INPUT DROP [1:146]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [50:7006]
-A INPUT -s 10.10.10.0/24 -i eth0 -j ACCEPT
-A INPUT -s 8.8.8.8/32 -i eth0 -j ACCEPT
-A INPUT -s 8.8.4.4/32 -i eth0 -j ACCEPT
-A INPUT -i lo0 -j ACCEPT
COMMIT
# Completed on Fri Aug  8 17:08:22 2014
#

..but this didn't help. Any other ideas?


Tom,

I suspect iptables because if I comment out the "pre-up .." line from
/etc/network/interfaces file, the machine will boot without issues. In
addition, if I comment out just the "iptables-restore .." line from
firewall-script and leave the "ip6tables-restore .." line uncommented,
the machine also boots without problems, i.e. it's the IPv4 iptables
rules which seem to cause the statd to fail.
/usr is not a separate file-system mount and all I could find
regarding NFS and statd were the "rpc.statd[1039]: unable to register
(statd, 1, udp)." messages.

Last but not least, starting the /etc/init.d/nfs-common
script("/etc/init.d/nfs-common start") took few minutes to start even
if the OS is running.


regards,
Martin

On 8/4/14, Tom H <tomh0665@gmail.com> wrote:
> On Mon, Aug 4, 2014 at 10:52 AM, Martin T <m4rtntns@gmail.com> wrote:
>>
>> I made a very simple bash script which loads the iptables
>> configuration from /etc/firewall.conf and /etc/firewall6.conf files:
>>
>> # cat /etc/init.d/firewall
>> #!/bin/bash
>>
>> iptables-restore < /etc/firewall.conf
>> ip6tables-restore < /etc/firewall6.conf
>>
>> Script is stored in /etc/init.d/ directory, but I haven't configured
>> init to load this script directly. I use the pre-up option in
>> /etc/network/interfaces instead:
>>
>> # grep pre-up /etc/network/interfaces
>>   pre-up /etc/init.d/firewall
>>
>> /etc/firewall.conf and /etc/firewall6.conf contain few simple
>> allow-rules to input chain and set default policies for chains in
>> input table to drop.
>>
>> Now if I reload the machine, the bootup takes more than 6 minutes.
>> Bootlog can be seen below:
>>
>> ...
>> Mon Aug  4 15:43:39 2014: Starting portmap daemon....
>> Mon Aug  4 15:43:39 2014: Starting NFS common utilities: statdSetting
>> kernel variables ...done.
>> Mon Aug  4 15:46:39 2014:  ^[[31mfailed!^[[39;49m
>> ...
>> Mon Aug  4 15:46:40 2014: startpar: service(s) returned failure:
>> nfs-common ... ^[[31mfailed!^[[39;49m
>> ...
>> Mon Aug  4 15:46:40 2014: Starting portmap daemon...Already running..
>> ...
>> Mon Aug  4 15:46:40 2014: Starting NFS common utilities: statd
>> ^[[31mfailed!^[[39;49m
>> ...
>>
>> Once the system is started, the iptables and ip6tables rules are
>> properly installed. According to log messages seen above, the problem
>> seems to be with NFS. Has anyone seen something like this before?
>
> What makes you think that it's iptables that's preventing statd?
>
> Do you have this problem when you comment out "pre-up ..."?
>
> Is there more info about nfs/statd in "/var/log/"?
>
> Is "/usr" a separate filesystem mount?
>
> Can you start nfs after the system boots?
>
> Small "style" nitpick: Since "/etc/init.d/firewall" isn't integrated
> into sysvinit, you might as well move it to
> "/etc/{,firewall,network}"; or move it to "/etc/network/pre-up.d/" and
> remove the "pre-up ..." line. I prefer installing iptables-persistent
> but you might not want to or be allowed to...
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> Archive:
> [🔎] CAOdo=SxTVDSBNc6k7sSaVOq-eM_b7uEkzGDZph_sjXtkqYN58A@mail.gmail.com">https://lists.debian.org/[🔎] CAOdo=SxTVDSBNc6k7sSaVOq-eM_b7uEkzGDZph_sjXtkqYN58A@mail.gmail.com
>
>

Reply to:

Follow-Ups:
- Re: NFS and iptables during bootup
  - From: Tom H <tomh0665@gmail.com>

References:
- NFS and iptables during bootup
  - From: Martin T <m4rtntns@gmail.com>
- Re: NFS and iptables during bootup
  - From: Tom H <tomh0665@gmail.com>

Prev by Date: Re: Partitioning of new machine
Next by Date: Re: Partitioning of new machine
Previous by thread: Re: NFS and iptables during bootup
Next by thread: Re: NFS and iptables during bootup
Index(es):
- Date
- Thread