Notes I wrote about DNS setup on I did on RHEL5 recently:
I had found this page:
http://www.redhat.com/docs/manuals/e...onfig-nfs.html
It says:
Quote:
27.1.23. /etc/sysconfig/nfs
NFS requires the portmap, which dynamically assigns ports for RPC services. This causes problems for configuring firewall rules. To overcome this problem, use the /etc/sysconfig/nfs file to control which ports the required RPC services run on.
The /etc/sysconfig/nfs may not exist by default on all systems. If it does not exist, create it and add the following variables (alternatively, if the file exists, un-comment and change the default entries as required):
MOUNTD_PORT="x"
control which TCP and UDP port mountd (rpc.mountd) uses. Replace x with an unused port number.
STATD_PORT="x"
control which TCP and UDP port status (rpc.statd) uses. Replace x with an unused port number.
LOCKD_TCPPORT="x"
control which TCP port nlockmgr (rpc.lockd) uses. Replace x with an unused port number.
LOCKD_UDPPORT="x"
control which UDP port nlockmgr (rpc.lockd) uses. Replace x with an unused port number.
If NFS fails to start, check /var/log/messages. Normally, NFS will fail to start if you specify a port number that is already in use. After editing /etc/sysconfig/nfs restart the NFS service by running the service nfs restart command. Run the rpcinfo -p command to confirm the changes.
To configure a firewall to allow NFS:
1. Allow TCP and UDP port 2049 for NFS.
2. Allow TCP and UDP port 111 (portmap/sunrpc).
3. Allow the TCP and UDP port specified with MOUNTD_PORT="x"
4. Allow the TCP and UDP port specified with STATD_PORT="x"
5. Allow the TCP port specified with LOCKD_TCPPORT="x"
6. Allow the UDP port specified with LOCKD_UDPPORT="x"
Based on that I modified my /etc/sysconfig/nfs to have:
MOUNTD_PORT="4001"
STATD_PORT="4002"
LOCKD_TCPPORT="4003"
LOCKD_UDPPORT="4004"
|
After doing above I then ran "service nfs stop" and "service nfs start" to restart.
Verified with "rpcinfo -p" that it was using the expected ports.
The firewall rules I added to /etc/sysconfig/iptables were:
Code:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 4001 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 4001 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 4002 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 4002 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 4003 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 4003 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 4004 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 4004 -j ACCEPT
All the above I put BEFORE the final line which I left alone (this is default final rule - putting rules after it prevents them from working):
Code:
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
Once I had modified that I ran "service iptables restart" to make it load the modified rules.
After that the nfs mount on a remote host worked fine.
Note that the above work was all done on the server on which the filesystem was being exported/shared from and not the one that was doing the nfs mount.