This is not too hard to do. On your Ubuntu server, set the default policy for the INPUT and OUTPUT chains to DROP, turn off IP forwarding, and then in the INPUT and OUTPUT chains, write rules that explicitly allow NFS and SSH traffic:
Code:
#iptables -F INPUT
#iptables -F OUTPUT
#iptables -P INPUT DROP
#iptables -P OUTPUT DROP
#iptables -A INPUT -p tcp --port 22 -j ACCEPT
#iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
#iptables -A INPUT -m multiport -p tcp --ports 111,2048,2049 -j ACCEPT
#iptables -A INPUT -m multiport -p udp --ports 111,2048,2049 -j ACCEPT
#iptables -A OUTPUT -p tcp --port 22 -j ACCEPT
#iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -m multiport -p tcp --ports 111,2048,2049 -j ACCEPT
#iptables -A OUTPUT -m multiport -p udp --ports 111,2048,2049 -j ACCEPT
I think I have gotten all the necessary ports: 111 is for rpcd, which nfsd needs, and 2048 and 2049 are for nfsd
If things don't work, add a line at the bottom of each chain with a LOG target. This will write a line in /var/log/messages whenever a packet arrives that will be dropped. That way you can see what ports and protocols are in use when a particular operation fails.