RPC connection tracking (howto request)

Jeff Wiegley, Ph.D. jeff@ntcor.com
Thu, 26 Jul 2001 17:15:32 -0700 

Am I missing something fundamental here?
(No, I mean about netfilter ;-)

I've got a workstation that is pretty well net filtered from the rest of
the world (and even from my own network for various reasons.)

I have another Solaris 8 box next to it and I want to NFS export a
director from my netfilter box so that the Solaris box can NFS mount
it.

I have allowed:
    /sbin/iptables --append INPUT --protocol tcp --destination-port nfs --jump ACCEPT
    /sbin/iptables --append INPUT --protocol udp --destination-port nfs --jump ACCEPT
    /sbin/iptables --append INPUT --protocol tcp --destination-port sunrpc --jump ACCEPT
    /sbin/iptables --append INPUT --protocol udp --destination-port sunrpc --jump ACCEPT
(yea I know these allow the world but hey I'm troubleshooting.)

I have also downloaded iptables 1.2.2 and did the whole patch-o-matic thing...
lsmod now produces:
sunrpc                 60048   1  (autoclean) [nfsd lockd]
ipt_record_rpc          2400   0  (unused)
ip_conntrack_rpc_tcp    5392   1  [ipt_record_rpc]
ip_conntrack_rpc_udp    5232   1  [ipt_record_rpc]
ipt_LOG                 3312   3  (autoclean)
ipt_state                576   1  (autoclean)
ip_nat_ftp              3632   0  (unused)
ip_conntrack_ftp        3760   0  [ip_nat_ftp]
iptable_mangle          1728   0  (autoclean) (unused)
iptable_nat            19120   1  (autoclean) [ip_nat_ftp]
ip_conntrack           20208   6  (autoclean) [ipt_record_rpc ip_conntrack_rpc_tcp ip_conntrack_rpc_udp ipt_state ip_nat_ftp ip_conntrack_ftp iptable_nat]
iptable_filter          1728   0  (autoclean) (unused)
3c59x                  25280   2  (autoclean)
ip_tables              13248   8  [ipt_record_rpc ipt_LOG ipt_state iptable_mangle iptable_nat iptable_filter]

But when I issue the mount command on the Solaris box I get:
Jul 26 17:11:14 stingray kernel: INPUT catchall: IN=eth0 OUT= MAC=00:10:5a:9e:bb:d3:00:e0:18:d8:13:74:08:00 SRC=$SOLARIS8IP DST=XXX.XXX.XXX.XXX LEN=68 TOS=0x00 PREC=0x00 TTL=255 ID=45741 DF PROTO=UDP SPT=32869 DPT=32773 LEN=48

I thought that the RPC connection tracking provided by ip_conntrack_rpc_* should
allow traffic to 32773 since nfs was just looked up? Am I wrong or rpc connection tracking
not working?

Thanks,

- Jeff