4

Without iptables rules I am able to mount my NFSSERVER:/PATH but with it(firewall/iptables) enabled I am not able to mount.

[.e.g., after iptables --flush/ firewaalld stop ; mount NFSSERVER:/Path works ]

I am not supposed to disable/clear the firewall/iptables but I am allowed to open a port. What is the rule that I need to add to open up the port/mount?

Current default policy is DROP all INCOMING/OUTGOING/FORWARD and there are couple of rules to allow wget from external 80 port etc.,

adding the NFS Server port didnt help.

iptables -A OUTPUT -p tcp --dport 2049 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --sport 2049 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp --dport 2049 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp --sport 2049 -m state --state ESTABLISHED -j ACCEPT

Thanks.

PS: This is for nfs client not NFS server machine.

user353gre3
  • 2,747
  • 4
  • 24
  • 27
resultsway
  • 12,299
  • 7
  • 36
  • 43
  • 1
    This doesn't work since `nfsd` is not the only daemon that requires network access. Other daemons involved in `NFS` are `portmap`, `statd`, `mountd`, `lockd` and `rquotad`. See [this](http://tldp.org/HOWTO/NFS-HOWTO/security.html#FIREWALLS) and [this](http://rlworkman.net/howtos/NFS_Firewall_HOWTO) for example. – Yoel Oct 04 '14 at 19:48

2 Answers2

8

If all you need is NFS version 4 (which is already over 10 years old), you don't need to go to all of the effort described in @Sathish's answer. Just make sure TCP port 2049 is open the server's firewall, and that the client's firewall allows outbound traffic to port 2049 on the server.

CentOS 5 (also old) has a nice explanation of why NFSv4 is more firewall friendly than v3 and v2.

Mike Gleason
  • 3,439
  • 1
  • 14
  • 7
7

NFS SERVER:

Configure Ports for rquotd(875/udp; 875/tcp), lockd(32803/tcp; 32769/udp), mountd(892/udp; 892/tcp), statd(10053/udp; 10053/tcp), statd_outgoing(10054/udp; 10054/tcp)

    vim /etc/sysconfig/nfs

If desired, disable NFS v3 and NFS v2 suport by editing lines 5 & 6 of /etc/sysconfig/nfs

    MOUNTD_NFS_V2="no"
    MOUNTD_NFS_V3="no"

Save current Iptables rules for later use. (if iptables-save is absent in your distribution, you may try iptables -S filename )

    iptables-save > pre-nfs-firewall-rules-server

Flush and check Iptables rules

    iptables -F
    iptables -L

Stop and Start NFS and related Services in the following sequence

   service rpcbind stop
   service nfslock stop
   service nfs stop
   service rpcbind start
   service nfslock start
   service nfs start

Make sure the configured NFS and its associated ports shows as set before and notedown the port numbers and the OSI layer 4 protcols. The standard port numbers for rpcbind (or portmapper) are 111/udp, 111/tcp and nfs are 2049/udp, 2049/tcp.

   rpcinfo -p | sort -k 3

Restore the pre-nfs-firewall-rules now

   iptables-restore < pre-nfs-firewall-rules-server

Write iptables rules for NFS server (Note: Loopback adapter has to allowed, else you will see packets dropped and also when you restart nfs service, it will spit ERROR {Starting NFS quotas: Cannot register service: RPC: Timed out rpc.rquotad: unable to register (RQUOTAPROG, RQUOTAVERS, udp). [FAILED]} for rquotad daemon. You can check this by adding a rule with LOG jump target at the bottom of INPUT or OUTPUT chains of filter table)

   iptables -P INPUT DROP
   iptables -P OUTPUT DROP 
   iptables -A INPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p udp -m multiport --dports 10053,111,2049,32769,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT 
   iptables -A INPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p tcp -m multiport --dports 10053,111,2049,32803,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT 
   iptables -A OUTPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p udp -m multiport --sports 10053,111,2049,32769,875,892 -m state --state ESTABLISHED -j ACCEPT 
   iptables -A OUTPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p tcp -m multiport --sports 10053,111,2049,32803,875,892 -m state --state ESTABLISHED -j ACCEPT 
   iptables -I INPUT  -i lo -d 127.0.0.1 -j ACCEPT
   iptables -I OUTPUT  -o lo -s 127.0.0.1 -j ACCEPT
   iptables -L -n --line-numbers

Configure NFS exports directory

   vim /etc/exports 
   exportfs -av
   showmount -e
   rpcinfo -p

Stop and Start NFS and related Services in the following sequence

   service rpcbind stop
   service nfslock stop
   service nfs stop
   service rpcbind start
   service nfslock start
   service nfs start

NFS CLIENT:

Save current Iptables rules for later use. (if iptables-save is absent in your distribution, you may try iptables -S filename )

   iptables-save > pre-nfs-firewall-rules-client

Flush and check Iptables rules

   iptables -F
   iptables -L

Obtain the firewalled NFS Server ports from the client machine and notedown the port numbers and the OSI layer 4 protcols.

   rpcinfo -p 'ip-addr-nfs-server' | sort -k 3

Restore the pre-nfs-firewall-rules now

   iptables-restore < pre-nfs-firewall-rules-client

Write iptables rules for NFS client (Note: Loopback adapter has to allowed, else you will see packets dropped and also when you restart nfs service, it will spit ERROR {Starting NFS quotas: Cannot register service: RPC: Timed out rpc.rquotad: unable to register (RQUOTAPROG, RQUOTAVERS, udp). [FAILED]} for rquotad daemon. You can check this by adding a rule with LOG jump target at the bottom of INPUT or OUTPUT chains of filter table)

   iptables -P INPUT DROP
   iptables -P OUTPUT DROP
   iptables -A INPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p udp -m multiport --sports 10053,111,2049,32769,875,892 -m state --state ESTABLISHED -j ACCEPT 
   iptables -A INPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p tcp -m multiport --sports 10053,111,2049,32803,875,892 -m state --state ESTABLISHED -j ACCEPT 
   iptables -A OUTPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p udp -m multiport --dports 10053,111,2049,32769,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT 
   iptables -A OUTPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p tcp -m multiport --dports 10053,111,2049,32803,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT 
   iptables -I INPUT  -i lo -d 127.0.0.1 -j ACCEPT
   iptables -I OUTPUT  -o lo -s 127.0.0.1 -j ACCEPT
   iptables -L -n --line-numbers

Stop and Start NFS and related Services in the following sequence

   service rpcbind stop
   service nfslock stop
   service nfs stop
   service rpcbind start
   service nfslock start
   service nfs start

List NFS Server exports

   showmount -e 'ip-addr-nfs-server'

Mount NFS Exports manually (persistent mounts can be configured using /etc/fstab)

   mount -t nfs ip-addr-nfs-server:/exported-directory /mount-point -o rw,nfsvers=3
   mount -t nfs ip-addr-nfs-server:/exported-directory /mount-point -o rw  --> For NFS4 version

Configure autofs, if automounting is preferred for nfs exports and with ldap user home directories (Direct and Indirect Maps can be set)

   vim /etc/auto.master    -> specify the mount point and map-name (Eg: auto.nfs)
   vim /etc/map-name
   service autofs stop
   service autofs start

Check mounted NFS Exports

   df -h -F nfs
   mount | grep nfs

List all pseudo root NFS-V4 export directories (NFS Lazy mount)

   ls /net/ip-addr-nfs-server
Sathish
  • 12,453
  • 3
  • 41
  • 59
  • The `ls /net/ip-addr-nfs-server` command might not work if the server has NFSv3 disabled. The automounter uses `showmount` to determine if a server is exporting NFS folders, and a pure NFSv4 server wont be reachable this way, as showmount will report `RPC: Program not registered`, thus prevening autofs from showing anything under the virtual `/net` directory. – Ale Jan 31 '20 at 16:40