Making NFS and IPTABLES work and play well together
Making NFS and IPTABLES work and play well together
This document is a short and specific paraphrase of Chris Lowth's execellent paper, Configuring NFS under Linux for Firewall control.
The problem with setting up IPTABLES to allow for NFS is that NFS uses the SunRPC mechanism which generates random ports for some of its components. The solution is to fix those ports so that they become trackable with IPTABLES. Chris uses this table to summerize the situation:
Daemon Name | RPM | Standard Port | Suggested Port | What to Change |
---|---|---|---|---|
portmap | portmap | 111 | 111 | Nothing |
rpc.statd | nfs-utils | Random | 4000 | Edit /etc/init.d/nfslock |
rpc.nfsd | nfs-utils | 2049 | 2049 | Nothing |
rpc.lockd | nfs-utils & kernel | Random | 4001 | Edit /etc/modules.conf |
rpc.mountd | nfs-utils | Random | 4002 | Create or Edit /etc/sysconfig/nfs |
rpc.rquotad | quota | Random | 4003 | Install "quota" package version 3.08 or later and edit /etc/rpc and /etc/services |
These are the specific changes I made in the Red Hat Enterprise Linux 3 Advanced Server environment to get NFS and IPTABLES to work together.
- Create the
/etc/sysconfig/nfs
file with these two lines:STATD_PORT="4000"
MOUNTD_PORT="4002"
- Edit the
/etc/rc.d/init.d/nfslock
file to add this blockimmediately after the existing if block to set${STATDARG}
:if [ -n ${STATD_PORT} ]; then
STATDARG="${STATDARG} -p ${STATD_PORT}"
fi
- Add this line to the
/etc/modules.conf
file:options lockd nlm_udpport=4001 nlm_tcpport=4001
- Verify the version of the quota package is 3.08-1 or higher:
rpm -qa grep -i quota
- Verify this line is in the
/etc/rpc
file:rquotad 1000011 rquotaprog quota rquota
- Add these two lines to the
/etc/services
file:rquotad 4003/tcp
rquotad 4003/udp
- Add these lines to the
/etc/sysconfig/iptables
file:-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -m udp -p udp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -m udp -p udp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 4000:4003 -j ACCEPT
-A RH-Firewall-1-INPUT -m udp -p udp --dport 4000:4003 -j ACCEPT
- Finally, restart everything and verify that you can nfs mount an exported directory from the server.