NFS through iptables

jnojr · 09-12-2008, 10:46 AM

I've set up an NFS server, and need to lock it down tight with iptables. I've made this work through a "third party" firewall (appending all rules to FORWARD, NFS server / client are both on different hosts than each other and the firewall). But I'm stuck with iptables on the same host as the NFS server.

I went into /etc/sysconfig/nfs and locked down the ports:

[root@offshore-dev ~]# cat /etc/sysconfig/nfs | grep -v ^#
RQUOTAD="/usr/sbin/rpc.rquotad"
RQUOTAD_PORT=4001
LOCKD_TCPPORT=4002
LOCKD_UDPPORT=4002
MOUNTD_PORT=4003
STATD_PORT=4004
STATD_OUTGOING_PORT=4005

With iptables flushed and all policies ACCEPT, I get:

[root@offshore-dev ~]# rpcinfo -p
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100011 1 udp 4001 rquotad
100011 2 udp 4001 rquotad
100011 1 tcp 4001 rquotad
100011 2 tcp 4001 rquotad
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100021 1 udp 4002 nlockmgr
100021 3 udp 4002 nlockmgr
100021 4 udp 4002 nlockmgr
100021 1 tcp 4002 nlockmgr
100021 3 tcp 4002 nlockmgr
100021 4 tcp 4002 nlockmgr
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100005 1 udp 4003 mountd
100005 1 tcp 4003 mountd
100005 2 udp 4003 mountd
100005 2 tcp 4003 mountd
100005 3 udp 4003 mountd
100005 3 tcp 4003 mountd
100024 1 udp 4004 status
100024 1 tcp 4004 status

When I start iptables with:

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

$IPTABLES -A INPUT -p tcp -s $ip --dport 111 -j ACCEPT
$IPTABLES -A INPUT -p udp -s $ip --dport 111 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s $ip --dport 2049 -j ACCEPT
$IPTABLES -A INPUT -p udp -s $ip --dport 2049 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s $ip --dport 4000:4005 -j ACCEPT
$IPTABLES -A INPUT -p udp -s $ip --dport 4000:4005 -j ACCEPT

it no longer works. "rpcinfo -p" hangs, and a remote client that is allowed by the rules cannot mount the share. I can't help but think this has to be an issue with outbound traffic, not inbound, but my OUTPUT policy is ACCEPT.

Any ideas?

MensaWater · 09-12-2008, 11:05 AM

Notes I wrote about DNS setup on I did on RHEL5 recently:

I had found this page:
http://www.redhat.com/docs/manuals/e...onfig-nfs.html

It says:

Quote:

27.1.23. /etc/sysconfig/nfs

NFS requires the portmap, which dynamically assigns ports for RPC services. This causes problems for configuring firewall rules. To overcome this problem, use the /etc/sysconfig/nfs file to control which ports the required RPC services run on.

The /etc/sysconfig/nfs may not exist by default on all systems. If it does not exist, create it and add the following variables (alternatively, if the file exists, un-comment and change the default entries as required):

MOUNTD_PORT="x"
control which TCP and UDP port mountd (rpc.mountd) uses. Replace x with an unused port number.

STATD_PORT="x"
control which TCP and UDP port status (rpc.statd) uses. Replace x with an unused port number.

LOCKD_TCPPORT="x"
control which TCP port nlockmgr (rpc.lockd) uses. Replace x with an unused port number.

LOCKD_UDPPORT="x"
control which UDP port nlockmgr (rpc.lockd) uses. Replace x with an unused port number.

If NFS fails to start, check /var/log/messages. Normally, NFS will fail to start if you specify a port number that is already in use. After editing /etc/sysconfig/nfs restart the NFS service by running the service nfs restart command. Run the rpcinfo -p command to confirm the changes.

To configure a firewall to allow NFS:

1. Allow TCP and UDP port 2049 for NFS.
2. Allow TCP and UDP port 111 (portmap/sunrpc).
3. Allow the TCP and UDP port specified with MOUNTD_PORT="x"
4. Allow the TCP and UDP port specified with STATD_PORT="x"
5. Allow the TCP port specified with LOCKD_TCPPORT="x"
6. Allow the UDP port specified with LOCKD_UDPPORT="x"
Based on that I modified my /etc/sysconfig/nfs to have:
MOUNTD_PORT="4001"
STATD_PORT="4002"
LOCKD_TCPPORT="4003"
LOCKD_UDPPORT="4004"

After doing above I then ran "service nfs stop" and "service nfs start" to restart.

Verified with "rpcinfo -p" that it was using the expected ports.

The firewall rules I added to /etc/sysconfig/iptables were:
Code:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 4001 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 4001 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 4002 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 4002 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 4003 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 4003 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 4004 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 4004 -j ACCEPT

All the above I put BEFORE the final line which I left alone (this is default final rule - putting rules after it prevents them from working):
Code:
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

Once I had modified that I ran "service iptables restart" to make it load the modified rules.

After that the nfs mount on a remote host worked fine.

Note that the above work was all done on the server on which the filesystem was being exported/shared from and not the one that was doing the nfs mount.

jnojr · 09-12-2008, 02:12 PM

In my case, this turned out to be something really dumb...

I had allowed the IP of the machine I was testing NFS from, forgetting that weeks ago I had moved that IP to a sub-interface and renumbered the primary interface

Once I allowed the address eth0 was configured with, it worked perfectly.