Letting NIS master notify a firewalled NIS slave server of updates
We have a NIS master on our corporate network. One of it’s slaves has it’s Shorewall configured iptables firewall enabled. Whenever we would update the NIS maps on the master and run “make -C /var/yp” to push the changes out, we’d get RPC errors about that firewalled slave server.
They looked like this (names changed blah, blah, blah):
[root@nis-master ~]# touch /etc/nis/netgroup [root@nis-master ~]# make -C /var/yp make: Entering directory `/var/yp' gmake[1]: Entering directory `/var/yp/ourdomain.com' gmake[1]: `ypservers' is up to date. gmake[1]: Leaving directory `/var/yp/ourdomain.com' gmake[1]: Entering directory `/var/yp/ourdomain.com' Updating netgroup... YPPUSH: Cannot call YPPROC_XFR on host "firewalled-slave": RPC: Unable to receive; errno = Connection refused Updating netgroup.byhost... YPPUSH: Cannot call YPPROC_XFR on host "firewalled-slave": RPC: Unable to receive; errno = Connection refused Updating netgroup.byuser... YPPUSH: Cannot call YPPROC_XFR on host "firewalled-slave": RPC: Unable to receive; errno = Connection refused gmake[1]: Leaving directory `/var/yp/ourdomain.com' make: Leaving directory `/var/yp' [root@nis-master ~]#
What to do, what to do? Well, firewalled-slave is CentOS 6.4. And therefore, the shorewall firewall package is aboard. That thing manages iptables rather neatly for us, so we’ll be updating firewall rules in /etc/shorewall/rules. Which is well commented. In addition, trolling Google I dug up these links:
Dynamic iptables rules for NIS server
From the first, Pratik’s admin blog, I learned about rpcinfo -p and then read the man page and looked around at /etc/rpc and did some thinging. That got me googling for “linux iptables ypserv ports.” And that led me to the second link:
http://www.centos.org/docs/4/html/rhel-sg-en-4/s1-server-nis.html
That one showed me how to tell ypserv (and ypxfrd, which I don’t need here) to use specific ports rather than letting rpcd pick some for them. Which meant I could then add rules to /etc/shorewall/rules to tell iptables to let updates in from nis-master.
Simple steps:
- add this to /etc/sysconfig/network:
"YPSERV_ARGS="-p 874" - run
service ypserv restart - add this to /etc/shorewall/rules:
# 2016-06-27 09:48 mdiehn
# -- Allow NIS traffic from outside to the master's slave ypserv on
# -- the port we specified in /etc/sysconfig/network as
# -- YPSERV_ARGS="-p 834"
# -- YPXFRD_ARGS="-p 835" <-- we don't run this on marlin
#
ACCEPT net fw tcp 834 # ypserv
ACCEPT net fw udp 834 # ypserv
#ACCEPT net fw tcp 835 # ypxfrd
#ACCEPT net fw udp 835 # ypxfrd
- run
service shorewall restart
And that’s all there is to it. Now when we run “make -C /var/yp” on the nis-master, it works without errors and the updates appear on firewalled-slave.