iptables rules for nfs
Solution 1
The list of open ports for NFS is too restrictive. First, you will have to open the same ports to UDP, then you will need to add 2 more ports. The complete list of ports to be opened is:
sunrpc 111/tcp rpcbind #SUN Remote Procedure Call
sunrpc 111/udp rpcbind #SUN Remote Procedure Call
nfsd-status 1110/tcp #Cluster status info
nfsd-keepalive 1110/udp #Client status info
nfsd 2049/tcp nfs # NFS server daemon
nfsd 2049/udp nfs # NFS server daemon
lockd 4045/udp # NFS lock daemon/manager
lockd 4045/tcp
Solution 2
NFS SERVER:
Configure Ports for rquotd(875/udp; 875/tcp), lockd(32803/tcp; 32769/udp), mountd(892/udp; 892/tcp), statd(10053/udp; 10053/tcp), statd_outgoing(10054/udp; 10054/tcp)
vim /etc/sysconfig/nfs
If desired, disable NFS v3 and NFS v2 suport by editing lines 5 & 6 of /etc/sysconfig/nfs
MOUNTD_NFS_V2="no"
MOUNTD_NFS_V3="no"
Save current Iptables rules for later use
iptables-save > pre-nfs-firewall-rules-server
Flush and check Iptables rules
iptables -F
iptables -L
Stop and Start NFS and related Services in the following sequence
service rpcbind stop
service nfslock stop
service nfs stop
service rpcbind start
service nfslock start
service nfs start
Make sure the configured NFS and its associated ports shows as set before and notedown the port numbers and the OSI layer 4 protcols. The standard port numbers for rpcbind (or portmapper) are 111/udp, 111/tcp and nfs are 2049/udp, 2049/tcp.
rpcinfo -p | sort -k 3
Restore the pre-nfs-firewall-rules now
iptables-restore < pre-nfs-firewall-rules-server
Write iptables rules for NFS server (Note: Loopback adapter has to allowed, else you will see packets dropped and also when you restart nfs service, it will spit ERROR { Starting NFS quotas: Cannot register service: RPC: Timed out rpc.rquotad: unable to register (RQUOTAPROG, RQUOTAVERS, udp). [FAILED] } for rquotad daemon. You can check this by adding a rule with LOG jump target at the bottom of INPUT or OUTPUT chains of filter table)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -A INPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p udp -m multiport --dports 10053,111,2049,32769,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p tcp -m multiport --dports 10053,111,2049,32803,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p udp -m multiport --sports 10053,111,2049,32769,875,892 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p tcp -m multiport --sports 10053,111,2049,32803,875,892 -m state --state ESTABLISHED -j ACCEPT
iptables -I INPUT -i lo -d 127.0.0.1 -j ACCEPT
iptables -I OUTPUT -o lo -s 127.0.0.1 -j ACCEPT
iptables -L -n --line-numbers
Configure NFS exports directory
vim /etc/exports
exportfs -av
showmount -e
rpcinfo -p
Stop and Start NFS and related Services in the following sequence
service rpcbind stop
service nfslock stop
service nfs stop
service rpcbind start
service nfslock start
service nfs start
NFS CLIENT:
Save current Iptables rules for later use
iptables-save > pre-nfs-firewall-rules-client
Flush and check Iptables rules
iptables -F
iptables -L
Obtain the firewalled NFS Server ports from the client machine and notedown the port numbers and the OSI layer 4 protcols.
rpcinfo -p 'ip-addr-nfs-server' | sort -k 3
Restore the pre-nfs-firewall-rules now
iptables-restore < pre-nfs-firewall-rules-client
Write iptables rules for NFS client (Note: Loopback adapter has to allowed, else you will see packets dropped and also when you restart nfs service, it will spit ERROR { Starting NFS quotas: Cannot register service: RPC: Timed out rpc.rquotad: unable to register (RQUOTAPROG, RQUOTAVERS, udp). [FAILED] } for rquotad daemon. You can check this by adding a rule with LOG jump target at the bottom of INPUT or OUTPUT chains of filter table)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -A INPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p udp -m multiport --sports 10053,111,2049,32769,875,892 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p tcp -m multiport --sports 10053,111,2049,32803,875,892 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p udp -m multiport --dports 10053,111,2049,32769,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -s 192.168.1.0/24 -d 192.168.1.0/24 -p tcp -m multiport --dports 10053,111,2049,32803,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -I INPUT -i lo -d 127.0.0.1 -j ACCEPT
iptables -I OUTPUT -o lo -s 127.0.0.1 -j ACCEPT
iptables -L -n --line-numbers
Stop and Start NFS and related Services in the following sequence
service rpcbind stop
service nfslock stop
service nfs stop
service rpcbind start
service nfslock start
service nfs start
List NFS Server exports
showmount -e 'ip-addr-nfs-server'
Mount NFS Exports manually (persistent mounts can be configured using /etc/fstab)
mount -t nfs ip-addr-nfs-server:/exported-directory /mount-point -o rw,nfsvers=3
mount -t nfs ip-addr-nfs-server:/exported-directory /mount-point -o rw --> For NFS4 version
Configure autofs, if automounting is preferred for nfs exports and with ldap user home directories (Direct and Indirect Maps can be set)
vim /etc/auto.master -> specify the mount point and map-name (Eg: auto.nfs)
vim /etc/map-name
service autofs stop
service autofs start
Check mounted NFS Exports
df -h -F nfs
mount | grep nfs
List all pseudo root NFS-V4 export directories (NFS Lazy mount)
ls /net/ip-addr-nfs-server
Comments
-
max almost 2 years
I was getting below error while typing
showmount -e 192.168.56.2in client machine[root@client ~]# showmount -e 192.168.56.2 clnt_create: RPC: Port mapper failure - Unable to receive: errno 113 (No route to host)
This is my nfs server configuration
nfs server ip 192.168.56.2
This is my nfs share
[root@www ~]# cat /etc/exports /files 192.168.56.7(rw,sync)
These are the two services running in server machine
[root@www ~]# service rpcbind status rpcbind (pid 2626) is running...
[root@www ~]# service nfs status rpc.svcgssd is stopped rpc.mountd (pid 2716) is running... nfsd (pid 2781 2780 2779 2778 2777 2776 2775 2774) is running... rpc.rquotad (pid 2712) is running...
This is my iptables rule
[root@www ~]# cat /etc/sysconfig/iptables # Generated by iptables-save v1.4.7 on Thu Oct 31 02:08:16 2013 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [5:388] -A INPUT -p tcp -m tcp --dport 111 -j ACCEPT -A INPUT -p tcp -m tcp --dport 2049 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Thu Oct 31 02:08:16 2013
If I flush the iptables rule in server machine then my client is able to see nfs share
[root@client ~]# showmount -e 192.168.56.2 Export list for 192.168.56.2: /files 192.168.56.7
That means problem with iptables rule , can anybody tell me what is the problem with my iptables rule , am I missing any other port ? How to troubleshoot these types of problems ?
I tried this method from my client machine to verify port is listening or not and this is the output of that
[root@client ~]# telnet 192.168.56.2 111 Trying 192.168.56.2... Connected to 192.168.56.2. Escape character is '^]'.
[root@client ~]# telnet 192.168.56.2 2049 Trying 192.168.56.2... Connected to 192.168.56.2. Escape character is '^]'.
-
max over 10 yearsBefore adding 2 ports is there any changes I have to make in this file /etc/sysconfig/nfs ?
-
MariusMatutiae over 10 yearsNot unless you have a non-standard installation. -
MariusMatutiae over 10 yearsPls accept my answer if it now works. As for troubeshooting: you have connection, you have credentials (you can log in with no firewall), but you cannot connect with firewall. Hence firewall too restrictive. Looked up what I did on another pc. Otherwise, I could have googled needed ports, something like "NFS iptables ports".
-
MariusMatutiae over 10 yearsAnd, BTW, I looked at your ip rules and they were fine, no errors, so only possibility was that you were closing a port needed. Let me add that there is no way to diagnose that, unless you tell iptables to log all connection attempts (and you have not done it). Reason is: remote machine sends connection and thinks: "Everything is OK". Local machine never sees incoming packets, because of firewall. If you want, you can tell iptables to keep a log. Careful: very big file, useful only for debugging.