Iptables Rules for NFS Server and NFS Client

Question

Iptables Rules for NFS Server and NFS Client

No rules iptables

I can mount mine NFSSERVER:/PATH

, but with it ( firewall

/ iptables

) is included. I cannot install.

[.e.g., after iptables --flush/ firewaalld stop ; mount NFSSERVER:/Path works ]

I am not supposed to disable / clear firewall

/ iptables

but I am allowed to open the port. What rule should I add to open the / mount port?

The current default policy is DROP all INCOMING/OUTGOING/FORWARD

and there are a few rules to allow wget from external port 80, etc.

adding the NFS server port did not help.

iptables -A OUTPUT -p tcp --dport 2049 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --sport 2049 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp --dport 2049 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp --sport 2049 -m state --state ESTABLISHED -j ACCEPT

Thank.

PS: This is nfs

not a client for the server machine nfs

.

+3

iptables

resultsway 03 oct. 14 at 21:54

source to share

2 answers

Sathish · Answer 1 · 2014-12-10T05:29:32+0000

NFS SERVER:

Configure ports for rquotd (875 / udp; 875 / tcp), lockd (32803 / tcp; 32769 / udp), mountd (892 / udp; 892 / tcp), statd (10053 / udp; 10053 / tcp) statd_outgoing (10054 / udp; 10054 / tcp)

    vim /etc/sysconfig/nfs

Optionally disable NFS v3 and NFS v2 suport by editing lines 5 and 6 in / etc / sysconfig / nfs

    MOUNTD_NFS_V2="no"
    MOUNTD_NFS_V3="no"

Save the current iptables rules for later use. (if iptables-save is missing from your distribution, you can try iptables -S filename)

    iptables-save > pre-nfs-firewall-rules-server

Clear and check iptables rules

    iptables -F
    iptables -L

Stop and start NFS and related services in the following sequence

   service rpcbind stop
   service nfslock stop
   service nfs stop
   service rpcbind start
   service nfslock start
   service nfs start

Make sure the configured NFS and associated ports are shown as previously indicated and the OSI layer port and proxy numbers are marked. The default port numbers for rpcbind (or portmapper) are 111 / udp, 111 / tcp and nfs are 2049 / udp, 2049 / tcp.

   rpcinfo -p | sort -k 3

Restore pre-nfs-firewall rules now

   iptables-restore < pre-nfs-firewall-rules-server

Record iptables rules for NFS server (Note: Loopback adapter must be enabled, otherwise you will see packets dropped and also when nfs service is restarted it will spit ERROR {Starting NFS quotas: Unable to register service: RPC: rpc.rquotad failed : unable to register (RQUOTAPROG, RQUOTAVERS, udp). [FAILED]} for rquotad daemon. You can check this by adding a rule to go to LOG at the bottom of the INPUT or OUTPUT filter tables)

   iptables -P INPUT DROP
   iptables -P OUTPUT DROP 
   iptables -A INPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p udp -m multiport --dports 10053,111,2049,32769,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT 
   iptables -A INPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p tcp -m multiport --dports 10053,111,2049,32803,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT 
   iptables -A OUTPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p udp -m multiport --sports 10053,111,2049,32769,875,892 -m state --state ESTABLISHED -j ACCEPT 
   iptables -A OUTPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p tcp -m multiport --sports 10053,111,2049,32803,875,892 -m state --state ESTABLISHED -j ACCEPT 
   iptables -I INPUT  -i lo -d 127.0.0.1 -j ACCEPT
   iptables -I OUTPUT  -o lo -s 127.0.0.1 -j ACCEPT
   iptables -L -n --line-numbers

Configure NFS Export Directory

   vim /etc/exports 
   exportfs -av
   showmount -e
   rpcinfo -p

Stop and start NFS and related services in the following sequence

   service rpcbind stop
   service nfslock stop
   service nfs stop
   service rpcbind start
   service nfslock start
   service nfs start

NFS CLIENT:

Save the current iptables rules for later use. (if iptables-save is missing from your distribution, you can try iptables -S filename)

   iptables-save > pre-nfs-firewall-rules-client

Clear and check iptables rules

   iptables -F
   iptables -L

Obtain the NFS Server firewalls from the client computer and remember the OSI layer port and proxy numbers.

   rpcinfo -p 'ip-addr-nfs-server' | sort -k 3

Restore pre-nfs-firewall rules now

   iptables-restore < pre-nfs-firewall-rules-client

Write iptables rules for NFS client (Note: Loopback adapter must be enabled, otherwise you will see packets dropped and also when restarting nfs service it will spit ERROR {Starting NFS quotas: Unable to register service: RPC: Failed rpc.rquotad : unable to register (RQUOTAPROG, RQUOTAVERS, udp). [FAILED]} for rquotad daemon. You can check this by adding a rule to go to LOG at the bottom of the INPUT or OUTPUT filter table)

   iptables -P INPUT DROP
   iptables -P OUTPUT DROP
   iptables -A INPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p udp -m multiport --sports 10053,111,2049,32769,875,892 -m state --state ESTABLISHED -j ACCEPT 
   iptables -A INPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p tcp -m multiport --sports 10053,111,2049,32803,875,892 -m state --state ESTABLISHED -j ACCEPT 
   iptables -A OUTPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p udp -m multiport --dports 10053,111,2049,32769,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT 
   iptables -A OUTPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p tcp -m multiport --dports 10053,111,2049,32803,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT 
   iptables -I INPUT  -i lo -d 127.0.0.1 -j ACCEPT
   iptables -I OUTPUT  -o lo -s 127.0.0.1 -j ACCEPT
   iptables -L -n --line-numbers

Stop and start NFS and related services in the following sequence

   service rpcbind stop
   service nfslock stop
   service nfs stop
   service rpcbind start
   service nfslock start
   service nfs start

NFS server export list

   showmount -e 'ip-addr-nfs-server'

NFS mount Export manually (permanent settings can be configured using / etc / fstab)

   mount -t nfs ip-addr-nfs-server:/exported-directory /mount-point -o rw,nfsvers=3
   mount -t nfs ip-addr-nfs-server:/exported-directory /mount-point -o rw  --> For NFS4 version

Configure autofs if automation is preferred for nfs export and with ldap-user home directories (direct and indirect maps can be installed)

   vim /etc/auto.master    -> specify the mount point and map-name (Eg: auto.nfs)
   vim /etc/map-name
   service autofs stop
   service autofs start

Check installed NFS export

   df -h -F nfs
   mount | grep nfs

List of all NFS-V4 export root directories (NFS Lazy mount)

   ls /net/ip-addr-nfs-server

Mike gleason · Answer 2 · 2016-03-03T19:13:58+0000

If you want NFS version 4 (over 10 years old) then you don't have to go to all the effort described in @ Sathish's answer. Just make sure TCP port 2049 is open by the server firewall and that the client firewall allows outbound traffic to port 2049 on the server.

CentOS 5 (also old) has a nice explanation as to why NFSv4 is more firewall friendly than v3 and v2.

Iptables Rules for NFS Server and NFS Client

More articles: