maybe that’s something you could start with Open NFS ports
1 Like
I found out the mount was using port 2049 for the NFS connection and I added these lines to the PostUp’s iptables:
iptables -I INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 2049 -j ACCEPT
iptables -I OUTPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 2049 -j ACCEPT
iptables -I INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 20048 -j ACCEPT
iptables -I OUTPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 20048 -j ACCEPT
The connection is still refused.
root@DietPi:~# rpcinfo -p 192.168.1.101 | grep nfs
192.168.1.101: RPC: Remote system error - Connection refused
I have been searching abit and my iptables looks like this:
PostUp = iptables -I INPUT 1 -i eth0 -p tcp -s 192.168.1.0/24 --dport 22 -j ACCEPT
PostUp = iptables -A INPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p udp -m multiport --dports 111,892,2049,52832,35398,44464,34813 -m state --state NEW,ESTABLISHED -j ACCEPT
PostUp = iptables -A INPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p tcp -m multiport --dports 111,892,2049,52832,35398,44464,34813 -m state --state NEW,ESTABLISHED -j ACCEPT
PostUp = iptables -A OUTPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p udp -m multiport --sports 111,892,2049,52832,35398,44464,34813 -m state --state ESTABLISHED -j ACCEPT
PostUp = iptables -A OUTPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p tcp -m multiport --sports 111,892,2049,52832,35398,44464,34813 -m state --state ESTABLISHED -j ACCEPT
PostUp = iptables -I OUTPUT 1 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
PostUp = iptables -I OUTPUT 2 ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PostUp = systemctl start transmission-daemon
PreDown = iptables -D INPUT -i eth0 -p tcp -s 192.168.1.0/24 --dport 22 -j ACCEPT && iptables -D OUTPUT -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT && iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = systemctl stop transmission-daemon
When I disable Wireguard, the connection with the NAS works. These ports are open.
root@DietPi:~# rpcinfo -p 192.168.1.101
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100005 1 udp 892 mountd
100005 1 tcp 892 mountd
100005 2 udp 892 mountd
100005 2 tcp 892 mountd
100005 3 udp 892 mountd
100005 3 tcp 892 mountd
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100021 1 udp 52832 nlockmgr
100021 3 udp 52832 nlockmgr
100021 4 udp 52832 nlockmgr
100021 1 tcp 35398 nlockmgr
100021 3 tcp 35398 nlockmgr
100021 4 tcp 35398 nlockmgr
100024 1 udp 44464 status
100024 1 tcp 34813 status
I am getting this weird error:
/boot/dietpi/func/dietpi-globals: line 1313: ip: command not foundndt error
/boot/dietpi/func/dietpi-globals: line 1313: mawk: command not found
/boot/dietpi/func/dietpi-globals: line 1314: ip: command not foundnd
/boot/dietpi/func/dietpi-globals: line 1314: mawk: command not found
/boot/dietpi/func/dietpi-globals: line 1274: ip: command not foundnd
/boot/dietpi/func/dietpi-globals: line 479: tput: command not found
/boot/dietpi/func/dietpi-globals: line 480: tput: command not found
/boot/dietpi/func/dietpi-globals: line 482: ((: <= 120 : syntax error: operand expected (error token is "<= 120 ")
/boot/dietpi/func/dietpi-globals: line 488: ((: >= 7 : syntax error: operand expected (error token is ">= 7 ")0 ")
/boot/dietpi/func/dietpi-globals: line 784: /usr/bin/rm: Input/output errord expected (error token is ">= 7 ")
/boot/dietpi/func/dietpi-globals: line 1313: ip: command not foundndt error
/boot/dietpi/func/dietpi-globals: line 1313: mawk: command not found
/boot/dietpi/func/dietpi-globals: line 1314: ip: command not foundnd
/boot/dietpi/func/dietpi-globals: line 1314: mawk: command not found
/boot/dietpi/func/dietpi-globals: line 1274: ip: command not foundnd
/boot/dietpi/func/dietpi-globals: line 479: tput: command not found
/boot/dietpi/func/dietpi-globals: line 480: tput: command not found
/boot/dietpi/func/dietpi-globals: line 482: ((: <= 120 : syntax error: operand expected (error token is "<= 120 ")
/boot/dietpi/func/dietpi-globals: line 488: ((: >= 7 : syntax error: operand expected (error token is ">= 7 ")0 ")
/boot/dietpi/func/dietpi-globals: line 701: /usr/bin/whiptail: Input/output errorcted (error token is ">= 7 ")
/boot/dietpi/func/dietpi-globals: line 172: tput: command not foundt/output error
/boot/dietpi/func/dietpi-globals: line 173: ((: i<: syntax error: operand expected (error token is "<")
/boot/dietpi/func/dietpi-globals: line 173: ((: i<: syntax error: operand expected (error token is "<")
Can someone help me out?
Did you purged any software packages? Because these are essential commands you are missing like ip and mawk
No I haven’t.
I only disabled wg-quick at systemctl now and then.
Let’s check the status of the package containing ip command
dpkg -l iproute2
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-============-============-====================================
ii iproute2 5.10.0-4 arm64 networking and traffic control tools
Is there a chance DietPi keeps assigning random ports for mounting?
https://prefetch.net/blog/2010/11/02/firewalling-a-linux-nfs-server-with-iptables/
It looks like there are different ports assigned for service status after a reboot (cmd rpcinfo -p)
it seems like rpc.statd is using a different port after every boot.
root@DietPi:~# sudo ss -tulpn
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 0.0.0.0:51413 0.0.0.0:* users:(("transmission-da",pid=548,fd=18))
udp UNCONN 0 0 127.0.0.1:743 0.0.0.0:* users:(("rpc.statd",pid=991,fd=5))
udp UNCONN 0 0 0.0.0.0:46415 0.0.0.0:* users:(("rpc.statd",pid=991,fd=8))
udp UNCONN 0 0 0.0.0.0:45593 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:* users:(("dhclient",pid=336,fd=9))
udp UNCONN 0 0 0.0.0.0:111 0.0.0.0:* users:(("rpcbind",pid=287,fd=5),("systemd",pid=1,fd=34))
udp UNCONN 0 0 *:45593 *:*
udp UNCONN 0 0 *:111 *:* users:(("rpcbind",pid=287,fd=7),("systemd",pid=1,fd=36))
udp UNCONN 0 0 *:43649 *:* users:(("rpc.statd",pid=991,fd=10))
tcp LISTEN 0 128 0.0.0.0:9091 0.0.0.0:* users:(("transmission-da",pid=548,fd=15))
tcp LISTEN 0 4096 0.0.0.0:111 0.0.0.0:* users:(("rpcbind",pid=287,fd=4),("systemd",pid=1,fd=33))
tcp LISTEN 0 128 0.0.0.0:51413 0.0.0.0:* users:(("transmission-da",pid=548,fd=16))
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=444,fd=3))
tcp LISTEN 0 4096 0.0.0.0:35901 0.0.0.0:* users:(("rpc.statd",pid=991,fd=9))
tcp LISTEN 0 500 0.0.0.0:8989 0.0.0.0:* users:(("mono",pid=572,fd=8))
tcp LISTEN 0 4096 [::]:43077 [::]:* users:(("rpc.statd",pid=991,fd=11))
tcp LISTEN 0 4096 [::]:111 [::]:* users:(("rpcbind",pid=287,fd=6),("systemd",pid=1,fd=35))
tcp LISTEN 0 128 [::]:51413 [::]:* users:(("transmission-da",pid=548,fd=17))
tcp LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=444,fd=4))
ok at least it seems the iproute2 package is installed. Wondering why you have the ip command missing 
Could you have a look for file system errors?
dmesg -l emerg,alert,crit,err
> /forcefsck
reboot
For NFS ports, usually it should be port 111 (TCP and UDP) and 2049 (TCP and UDP). Probably as well setting RPCMOUNTDOPTS="--port <something>" within server config /etc/default/nfs-kernel-server to fix ports. ubuntu - Which ports do I need to open in the firewall to use NFS? - Server Fault
/etc/default/nfs-kernel-server doesn’t exists on my installation. Is this the correct path?
dmesg -l emerg,alert,crit,err
> /forcefsck
reboot
How can I see the log after reboot?
ports 111 and 2049 need to be opened to have NFS. At least that’s what I do in my network to access the NFS server of a dietpi from other networks.
ah wait, you installed NFS server or client on DietPi? Because this file contains server setting.
You like to access to a NFS from DietP while VPN is active or to access a NFS server running on DietPi?
journalctl -t systemd-fsck
@trendy Thanks for the reply. Are these iptables correct if I want to open ports for NFS?
PostUp = iptables -I INPUT 1 -i eth0 -p tcp -s 192.168.1.0/24 --dport 22 -j ACCEPT
PostUp = iptables -A INPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p udp -m multiport --dports 111,892,2049 -m state --state NEW,ESTABLISHED -j ACCEPT
PostUp = iptables -A INPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p tcp -m multiport --dports 111,892,2049 -m state --state NEW,ESTABLISHED -j ACCEPT
PostUp = iptables -A OUTPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p udp -m multiport --sports 111,892,2049 -m state --state ESTABLISHED -j ACCEPT
PostUp = iptables -A OUTPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p tcp -m multiport --sports 111,892,2049 -m state --state ESTABLISHED -j ACCEPT
PostUp = iptables -I OUTPUT 1 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
PostUp = iptables -I OUTPUT 2 ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PostUp = systemctl start transmission-daemon
PreDown = iptables -D INPUT -i eth0 -p tcp -s 192.168.1.0/24 --dport 22 -j ACCEPT && iptables -D OUTPUT -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT && iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = systemctl stop transmission-daemon@Joulinar No, I haven’t installed NFS server or client. I used dietpi-drive_manager to mount the NFS drive (NAS). Should I install a NFS client or server?
I like to access a NFS server (NAS) from my DietPi, while VPN is active.
Mounting the NFS share using dietpi-drive_manager will install NFS client automatically. But in this case ports of DietPi are not important. You would need to check on server side which ports are needed/used to access the NFS share.
My Synology use port 111,892 and 2049 for NFS connections.
than these ports to be allowed as outgoing traffic