Tutorial – Configure IPTables for NFS Server on CentOS 6

This tutorial will take you through configuring iptables to allow client connections to your NFS service.
Allowing access to your NFS shares isn’t as simple as opening up a single protocol/port combo. There’s a quite a number of different ports required utilizing both TCP and UDP. We also need to make our lives easier to statically setting the ports for some of the NFS related services.
[box type="info"] Just note that this document assumes CentOS 6 for all example code and references. Syntax, file locations and codes may vary based on your distribution.[/box]

Step 1: Configure NFS Ports

The NFS service uses the RPC Bind service to advertise the protocols/ports it’s using. To make our iptables config nice and clean, we’ll statically configure these ports rather than leave it up to the RPC God to decide.
Edit the NFS port definitions file

1	vi /etc/sysconfig/nfs

Un-comment the following lines and save the file.

1 2 3

LOCKD_TCPPORT=32803 LOCKD_UDPPORT=32769 MOUNTD_PORT=892

Now restart the NFS and RPC Bind services

1 2	service rpcbind restart service nfs restart

Step 2: Configure IPTables

At this point, if you tried to run “rpcinfo -p server1″ or “showmount -e server1″ you’ll get errors

1 2	# rpcinfo -p server1 rpcinfo: can't contact portmapper: RPC: Remote system error - No route to host

1 2	# showmount -e server1 clnt_create: RPC: Port mapper failure - Unable to receive: errno 113 (No route to host)

Lets go about sticking 2 new rules at the beginning of the INPUT chain that allows our NFS and RPC services to work.

1 2 3 4 5

iptables -I INPUT -m state --state NEW -p tcp \     -m multiport --dport 111,892,2049,32803 -s 192.168.0.0/24 -j ACCEPT   iptables -I INPUT -m state --state NEW -p udp \     -m multiport --dport 111,892,2049,32769 -s 192.168.0.0/24 -j ACCEPT

[box type=info] In some circumstances it is required to restart the NFS service after the firewall changes have been made.[/box]
Lets check those showmount and rcpinfo commands again

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34

# rpcinfo -p server1    program vers proto   port  service     100000    4   tcp    111  portmapper     100000    3   tcp    111  portmapper     100000    2   tcp    111  portmapper     100000    4   udp    111  portmapper     100000    3   udp    111  portmapper     100000    2   udp    111  portmapper     100011    1   udp    875  rquotad     100011    2   udp    875  rquotad     100011    1   tcp    875  rquotad     100011    2   tcp    875  rquotad     100005    1   udp    892  mountd     100005    1   tcp    892  mountd     100005    2   udp    892  mountd     100005    2   tcp    892  mountd     100005    3   udp    892  mountd     100005    3   tcp    892  mountd     100003    2   tcp   2049  nfs     100003    3   tcp   2049  nfs     100003    4   tcp   2049  nfs     100227    2   tcp   2049  nfs_acl     100227    3   tcp   2049  nfs_acl     100003    2   udp   2049  nfs     100003    3   udp   2049  nfs     100003    4   udp   2049  nfs     100227    2   udp   2049  nfs_acl     100227    3   udp   2049  nfs_acl     100021    1   udp  32769  nlockmgr     100021    3   udp  32769  nlockmgr     100021    4   udp  32769  nlockmgr     100021    1   tcp  32803  nlockmgr     100021    3   tcp  32803  nlockmgr     100021    4   tcp  32803  nlockmgr

1 2 3

# showmount -e server1 Export list for server1: /data/nfs 192.168.0.0/24

….looking good! Lets save our iptables config to make it persistent through reboots

1	service iptables save

Step 3: Mount the NFS Share

Now that all the hard stuff is out of the way, lets mount our NFS share. So from your client machine attempt to mount

1	mount -t nfs server1:/data/nfs /mnt/

The mount command, when successful, won’t output any messages.


http://gengwg.blogspot.com/