Posts by royalapple45

Hello all- I recently install cryptsetup through Opkg and I am trying to automount my external drives through the autostart.sh script. Here is my code:

#!/bin/sh

sleep 30
cryptsetup luksOpen /dev/disk/by-uuid/5d52d255-beb0-4de9-8ab6-cf7f6ad56b9a external1 --key-file=/storage/.config/keyfile
cryptsetup luksOpen /dev/disk/by-uuid/208fea3b-9d50-45aa-b370-kf46952384a6 external2 --key-file=/storage/.config/keyfile
cryptsetup luksOpen /dev/disk/by-uuid/85be45b1-9329-4f0c-9ebd-93905f665ac4 external3 --key-file=/storage/.config/keyfile
cryptsetup luksOpen /dev/disk/by-uuid/2357606b-644b-44a4-abc9-23451f8bd355 external4 --key-file=/storage/.config/keyfile
cryptsetup luksOpen /dev/disk/by-uuid/0892be8e-a55a-4790-ad22-4587f7aea6aa external5 --key-file=/storage/.config/keyfile
cryptsetup luksOpen /dev/disk/by-uuid/844e81c9-8e3c-4401-b690-22c07f7db83d external6 --key-file=/storage/.config/keyfile
cryptsetup luksOpen /dev/disk/by-uuid/97ca5d87-49c9-4c9c-acbb-87193df26fe4 external7 --key-file=/storage/.config/keyfile


mount /dev/mapper/external1 /storage/NFS/Disk1
mount /dev/mapper/external2 /storage/NFS/Disk2
mount /dev/mapper/external3 /storage/NFS/Disk3
mount /dev/mapper/external4 /storage/NFS/Disk4
mount /dev/mapper/external5 /storage/NFS/Disk5
mount /dev/mapper/external6 /storage/NFS/Disk6
mount /dev/mapper/external7 /storage/NFS/Disk7

When I do this, it just keeps endlessly rebooting after what seems like 30 seconds(maybe post getting through sleep 30)

My above script works flawlessly in Debian/Ubuntu but I am thinking that the same commands but not be valid in LibreElec. Any help would be appreciated!

I ended up posting on reddit as this was not getting any action. I essentially kept the iptables.service through systemd and then mounted my NFS shares through the autostart script using the below code. It includes a command at the beginning that delays the start of the script by several seconds. Below the code will also be the reddit post if anybody wants to take a look.

#!/bin/sh
 
# Wait for the network to come up...
while [ -z "$(connmanctl state | grep State | grep -E "ready|online")" ]; do sleep 0.25; done; logger -t "$(basename $0)" "** Network is up **"
 
mount -t nfs 192.168.1.100:/mnt/media/alarm/Disk1 -o ro,bg,noatime,nodiratime,nolock,timeo=600,async,rsize=32768,wsize=32768 /storage/NFS/Disk1
mount -t nfs 192.168.1.100:/mnt/media/alarm/Disk2 -o ro,bg,noatime,nodiratime,nolock,timeo=600,async,rsize=32768,wsize=32768 /storage/NFS/Disk2
mount -t nfs 192.168.1.100:/mnt/media/alarm/Disk3 -o ro,bg,noatime,nodiratime,nolock,timeo=600,async,rsize=32768,wsize=32768 /storage/NFS/Disk3
mount -t nfs 192.168.1.100:/mnt/media/alarm/Disk4 -o ro,bg,noatime,nodiratime,nolock,timeo=600,async,rsize=32768,wsize=32768 /storage/NFS/Disk4
mount -t 192.168.1.100:/mnt/media/alarm/Disk5 -o ro,bg,noatime,nodiratime,nolock,timeo=600,async,rsize=32768,wsize=32768 /storage/NFS/Disk5
mount -t nfs 192.168.1.100:/mnt/media/alarm/Disk6 -o ro,bg,noatime,nodiratime,nolock,timeo=600,async,rsize=32768,wsize=32768 /storage/NFS/Disk6

Here is the reddit post: iptables.service and NFS- Unresolved forum post : libreELEC

Shoutout to ChickenGoes2Library for all of the help.

Hello and greetings!

I posted on this forum a year or so ago and here is the thread: NFS IPtables Troubles

I was invoking iptables through an autostart script and everything worked fine with NFS. . . for a while. I want to start iptables through systemd and I referenced this thread as it included iptables.service setup instructions: VPN: Include default iptables rule for tun0 or at least optional

I want to invoke it through systemd as I want iptables started before my network is online. I followed the instructions for creating the iptables.service and iptables starts fine as I am totally unable to ssh into the box (which is good for me). My NFS mounts unfortunately do not mount. Here are my sample configuration files:

iptables.service

[Unit]

Description=Packet Filtering Framework

Before=network-pre.target

Wants=network-pre.target





[Service]

Type=oneshot

ExecStart=/usr/sbin/iptables-restore /storage/.config/iptables.rules

ExecReload=/usr/sbin/iptables-restore /storage/.config/iptables.rules

ExecStop=/usr/sbin/iptables -F

RemainAfterExit=yes



[Install]

WantedBy=multi-user.target

nfs mount:

[Unit]

Description=Disk1

After=network-online.service

Wants=network-online.service

Before=kodi.service



[Mount]

What=192.168.1.100:/run/media/alarm/Disk2/

Where=/storage/NFS/Disk2

Options=ro,auto,hard,timeo=100,rsize=262144

Type=nfs



[Install]

WantedBy=multi-user.target

and finally my iptables.rules:

*filter
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
COMMIT

I believe my problem essentially comes down to something like After=Network-online.service interfering with something. Any help or insight would be sincerely appreciated! My client is an Odroid C2.

Thanks for the response Escalade. I ran the following command to check to see that idmap was fully working:

cat /sys/module/nfsd/parameters/nfs4_disable_idmapping

It returned a Y so it is working. I am thinking that it is just my firewall configuration.

I got it to work with a basic configuration to deny incoming connections. I really was overthinking it. Here is the configuration that I used:

# Set default chain policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Accept on localhost
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow established sessions to receive traffic
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

I tried that and it did not work. I also tried this:

/etc/sysconfig/nfs

STATDARG="-p 32765 -o 32766 -T 32803"

This did not work either. My next step is to switch from ufw on my server to iptables to see if that helps. I have to admit that I am feeling pretty lost right now. I still do not have rpcbind.service running. I think I may need that for NFSv3.

I appreciate the response, subzero79. My question to you would be: Why does NFS work great without the firewall if the client opens a random port below 1024? My server is only configured for 111, 2049, and 20048.

Edit: I just read the Arch wiki and I believe I understand it now. In order for NFS3 to work behind a firewall, certain things have to be tweaked. If anybody cares to elaborate further while I'm sleeping, I would appreciate it.

That could be it though. I found this forum post which states that NFSv4 was right around the corner last January.

LibreELEC Testbuilds for x86_64 (Kodi 18.0)

I might have to configure it for NFSv3 which means I would probably have to use rpcbind.service.

Anybody know if I am thinking about this wrong? If the NFS shares worked flawlessly without the firewall, does that mean LibreElec supports NFSv4?

I was reading about the dynamic ports a little bit but glanced over them because UFW is just a front end for iptables. I figured if those were the ports that I needed for UFW, that they would also work with iptables.

I do not have rpcbind.service going on my server as I believe that it was only needed for older versions of NFS. NFS works without iptables on Libreelec so maybe I am just not understanding something.

Hello Everybody,

I am currently using an Odroid C2 running the latest LibreElec. I was looking through the forums and saw that the best way to configure iptables was through autostart.sh , otherwise it will not survive a reboot. I am currently using NFS via the storage-Disk.mount feature. It works great when iptables is not present but I cannot get it to work when using iptables.

I should let you all know that I am a noob when it comes to iptables. I have been using ufw for sometime now. My server is configured with ufw and only allows in from specific ip addresses/ports. Again, this works fine when I do not have iptables running on my Odroid.

I have tried many different iptables configurations but I have not been able to get it to work. When I try to access it through Kodi, it times out and does not show that it is mounted. On my server, I allow in on the following port:111,2049,20048

Here is my most recent configuration that I tried: .25 is the server and .40 is the client. Any help would be sincerely appreciated. I do not want to allow any incoming connections to LibreElec but realize that Iptables has to have some input ability. I was using old computers running manjaro Linux before as my media centers. On those computers, I was using UFW and it was configured as "sudo ufw default deny" and it worked great.

iptables -P INPUT DROP    
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -s 172.16.10.25/32 -d 172.16.10.40/32 -i eth0 -p tcp --sport 111 -j ACCEPT
iptables -A INPUT -s 172.16.10.25/32 -d 172.16.10.40/32 -i eth0 -p tcp --sport 2049 -j ACCEPT
iptables -A INPUT -s 172.16.10.25/32 -d 172.16.10.40/32 -i eth0 -p tcp --sport 20048 -j ACCEPT
iptables -A INPUT -s 172.16.10.25/32 -d 172.16.10.40/32 -i eth0 -p udp --sport 111 -j ACCEPT
iptables -A INPUT -s 172.16.10.25/32 -d 172.16.10.40/32 -i eth0 -p udp --sport 2049 -j ACCEPT
iptables -A INPUT -s 172.16.10.25/32 -d 172.16.10.40/32 -i eth0 -p udp --sport 20048 -j ACCEPT
iptables -A OUTPUT -s 172.16.10.40/32 -d 172.16.10.25/32 -o eth0 -p tcp --dport 111 -j ACCEPT
iptables -A OUTPUT -s 172.16.10.40/32 -d 172.16.10.25/32 -o eth0 -p tcp --dport 2049 -j ACCEPT
iptables -A OUTPUT -s 172.16.10.40/32 -d 172.16.10.25/32 -o eth0 -p tcp --dport 20048 -j ACCEPT
iptables -A OUTPUT -s 172.16.10.40/32 -d 172.16.10.25/32 -o eth0 -p udp --dport 111 -j ACCEPT
iptables -A OUTPUT -s 172.16.10.40/32 -d 172.16.10.25/32 -o eth0 -p udp --dport 2049 -j ACCEPT
iptables -A OUTPUT -s 172.16.10.40/32 -d 172.16.10.25/32 -o eth0 -p udp --dport 20048 -j ACCEPT
iptables -I INPUT  -i lo -d 127.0.0.1 -j ACCEPT
iptables -I OUTPUT  -o lo -s 127.0.0.1 -j ACCEPT