Iptables.service and NFS troubles

royalapple45 · March 18, 2018 at 5:27 PM

Hello and greetings!

I posted on this forum a year or so ago and here is the thread: NFS IPtables Troubles

I was invoking iptables through an autostart script and everything worked fine with NFS. . . for a while. I want to start iptables through systemd and I referenced this thread as it included iptables.service setup instructions: VPN: Include default iptables rule for tun0 or at least optional

I want to invoke it through systemd as I want iptables started before my network is online. I followed the instructions for creating the iptables.service and iptables starts fine as I am totally unable to ssh into the box (which is good for me). My NFS mounts unfortunately do not mount. Here are my sample configuration files:

iptables.service

Code

[Unit]

Description=Packet Filtering Framework

Before=network-pre.target

Wants=network-pre.target





[Service]

Type=oneshot

ExecStart=/usr/sbin/iptables-restore /storage/.config/iptables.rules

ExecReload=/usr/sbin/iptables-restore /storage/.config/iptables.rules

ExecStop=/usr/sbin/iptables -F

RemainAfterExit=yes



[Install]

WantedBy=multi-user.target

Display More

nfs mount:

Code

[Unit]

Description=Disk1

After=network-online.service

Wants=network-online.service

Before=kodi.service



[Mount]

What=192.168.1.100:/run/media/alarm/Disk2/

Where=/storage/NFS/Disk2

Options=ro,auto,hard,timeo=100,rsize=262144

Type=nfs



[Install]

WantedBy=multi-user.target

Display More

and finally my iptables.rules:

Code

*filter
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
COMMIT

I believe my problem essentially comes down to something like After=Network-online.service interfering with something. Any help or insight would be sincerely appreciated! My client is an Odroid C2.

royalapple45 · April 1, 2018 at 12:10 PM

I ended up posting on reddit as this was not getting any action. I essentially kept the iptables.service through systemd and then mounted my NFS shares through the autostart script using the below code. It includes a command at the beginning that delays the start of the script by several seconds. Below the code will also be the reddit post if anybody wants to take a look.

Bash

#!/bin/sh
 
# Wait for the network to come up...
while [ -z "$(connmanctl state | grep State | grep -E "ready|online")" ]; do sleep 0.25; done; logger -t "$(basename $0)" "** Network is up **"
 
mount -t nfs 192.168.1.100:/mnt/media/alarm/Disk1 -o ro,bg,noatime,nodiratime,nolock,timeo=600,async,rsize=32768,wsize=32768 /storage/NFS/Disk1
mount -t nfs 192.168.1.100:/mnt/media/alarm/Disk2 -o ro,bg,noatime,nodiratime,nolock,timeo=600,async,rsize=32768,wsize=32768 /storage/NFS/Disk2
mount -t nfs 192.168.1.100:/mnt/media/alarm/Disk3 -o ro,bg,noatime,nodiratime,nolock,timeo=600,async,rsize=32768,wsize=32768 /storage/NFS/Disk3
mount -t nfs 192.168.1.100:/mnt/media/alarm/Disk4 -o ro,bg,noatime,nodiratime,nolock,timeo=600,async,rsize=32768,wsize=32768 /storage/NFS/Disk4
mount -t 192.168.1.100:/mnt/media/alarm/Disk5 -o ro,bg,noatime,nodiratime,nolock,timeo=600,async,rsize=32768,wsize=32768 /storage/NFS/Disk5
mount -t nfs 192.168.1.100:/mnt/media/alarm/Disk6 -o ro,bg,noatime,nodiratime,nolock,timeo=600,async,rsize=32768,wsize=32768 /storage/NFS/Disk6

Display More

Here is the reddit post: iptables.service and NFS- Unresolved forum post : libreELEC

Shoutout to ChickenGoes2Library for all of the help.