[stunnel-users] NFS over stunnel

Andy Wettstein ajw at uiuc.edu
Mon Nov 19 04:33:10 CET 2007


On Sun, Nov 18, 2007 at 07:56:02AM -0800, Brian Hatch wrote:
> Near 2007-11-16 12:18 -0600, Andy Wettstein spake:
> 
> > I wrote a document about how I am running NFS over stunnel.  Using some
> > firewall rules I was able to eliminate most of the complications for
> > using secure NFS.  It could probably use more detailed explanations, but
> > the scripts I am using are all there.
> 
> The server allows rw access to localhost.  Since stunnel will be showing
> each incoming packet from localhost, this is the only IP you can use.

That's the desired affect right?

> 
> On the clients, you're listening on localhost (127.0.0.0/8 is all,
> effectively, local.)  You cannot distinguish the official mounts on
> the clients from any random user running their own daemons.
> 
> This means anyone on any client can access this NFS directory as
> any user, since the NFS model is purely client based userid/groupid
> security.
> 
> This is my first worry, but the rest of the writeup looks very detailed.

Did you see those scripts create firewall rules to handle this?  On the
client, the script does this for each tunneled port:
iptables -t filter -A $chain -p tcp -d $securehost --dport $tport --match owner ! --uid-owner root -j DROP

Where $securehost is the address on 127.0.0.0/8.

The iptables output, f.e., looks like this:
DROP       tcp  --  0.0.0.0/0            127.0.4.1           tcp dpt:1041 ! OWNER UID match 0

On the server this is done for each port:
iptables -t filter -A $chain -p tcp -d localhost --dport $tport --match owner ! --uid-owner $stunneluser -j DROP

The iptables output (the nfstunnel user has UID 113):
DROP       tcp  --  0.0.0.0/0            127.0.0.1           tcp dpt:1041 ! OWNER UID match 113

With these rules enabled, I don't believe it is possible for a user to
use either a rogue NFS client directly on either the client or server 
machine or retunnel those ports to another machine.

Do you think those rules aren't doing what I expect?  Maybe I should put
a little more explanation about this on that page.

> 
> Not sure how well the server will handle multiple NFS mounts from the
> same IP (localhost, no matter how many acutal clients.)

Yes, I'll see.  I have several hundred machines that mount my home
directory.  So far I haven't seen anything abnormal at least with a
linux nfs server.

Andy



More information about the stunnel-users mailing list