Monday, October 03, 2005

Making NFS and IPTABLES work and play well together

Making NFS and IPTABLES work and play well together



This document is a short and specific paraphrase of Chris Lowth's execellent paper, Configuring NFS under Linux for Firewall control.

The problem with setting up IPTABLES to allow for NFS is that NFS uses the SunRPC mechanism which generates random ports for some of its components. The solution is to fix those ports so that they become trackable with IPTABLES. Chris uses this table to summerize the situation:



















































Daemon NameRPMStandard PortSuggested PortWhat to Change
portmapportmap111111Nothing
rpc.statdnfs-utilsRandom4000Edit /etc/init.d/nfslock
rpc.nfsdnfs-utils20492049Nothing
rpc.lockdnfs-utils & kernelRandom4001Edit /etc/modules.conf
rpc.mountdnfs-utilsRandom4002Create or Edit /etc/sysconfig/nfs
rpc.rquotadquotaRandom4003Install "quota" package version 3.08 or later
and edit /etc/rpc and /etc/services


These are the specific changes I made in the Red Hat Enterprise Linux 3 Advanced Server environment to get NFS and IPTABLES to work together.

  1. Create the /etc/sysconfig/nfs file with these two lines:
    STATD_PORT="4000"
    MOUNTD_PORT="4002"


  2. Edit the /etc/rc.d/init.d/nfslock file to add this blockimmediately after the existing if block to set ${STATDARG}:
    if [ -n ${STATD_PORT} ]; then
    STATDARG="${STATDARG} -p ${STATD_PORT}"
    fi


  3. Add this line to the /etc/modules.conf file:
    options lockd nlm_udpport=4001 nlm_tcpport=4001


  4. Verify the version of the quota package is 3.08-1 or higher:
    rpm -qa grep -i quota


  5. Verify this line is in the /etc/rpc file:
    rquotad 1000011 rquotaprog quota rquota


  6. Add these two lines to the /etc/services file:
    rquotad 4003/tcp
    rquotad 4003/udp


  7. Add these lines to the /etc/sysconfig/iptables file:
    -A RH-Firewall-1-INPUT -m tcp -p tcp --dport 111 -j ACCEPT
    -A RH-Firewall-1-INPUT -m udp -p udp --dport 111 -j ACCEPT
    -A RH-Firewall-1-INPUT -m tcp -p tcp --dport 2049 -j ACCEPT
    -A RH-Firewall-1-INPUT -m udp -p udp --dport 2049 -j ACCEPT
    -A RH-Firewall-1-INPUT -m tcp -p tcp --dport 4000:4003 -j ACCEPT
    -A RH-Firewall-1-INPUT -m udp -p udp --dport 4000:4003 -j ACCEPT


  8. Finally, restart everything and verify that you can nfs mount an exported directory from the server.


Resources


posted by Andrew Robinson at 2:06 PM 0 comments