[SOLVED] Unable to mount NFS with iptables

procfs · 06-15-2016, 12:22 PM

Hi Below is my environment

CentOS release 6.8 (Final)
NFS 1:1.2.3-70.el6

export file is as -
/exp_fs *(rw,async,no_root_squash,no_subtree_check)

I can mount this while iptables are down on the server but as soon as I start I am getting an rpc error when I do showmount.

below are my iptables rules, what am I doing wrong

-A INPUT -s 172.16.10.0/24 -p udp -m state --state NEW -m udp --dport 111 -j ACCEPT
-A INPUT -s 172.16.10.0/24 -p tcp -m state --state NEW -m tcp --dport 111 -j ACCEPT
-A INPUT -s 172.16.10.0/24 -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT
-A INPUT -s 172.16.10.0/24 -p tcp -m state --state NEW -m tcp --dport 32803 -j ACCEPT
-A INPUT -s 172.16.10.0/24 -p udp -m state --state NEW -m udp --dport 32769 -j ACCEPT
-A INPUT -s 172.16.10.0/24 -p tcp -m state --state NEW -m tcp --dport 892 -j ACCEPT
-A INPUT -s 172.16.10.0/24 -p udp -m state --state NEW -m udp --dport 892 -j ACCEPT
-A INPUT -s 172.16.10.0/24 -p tcp -m state --state NEW -m tcp --dport 875 -j ACCEPT
-A INPUT -s 172.16.10.0/24 -p udp -m state --state NEW -m udp --dport 875 -j ACCEPT
-A INPUT -s 172.16.10.0/24 -p tcp -m state --state NEW -m tcp --dport 662 -j ACCEPT
-A INPUT -s 172.16.10.0/24 -p udp -m state --state NEW -m udp --dport 662 -j ACCEPT

Thanks and Regards

tshikose · 06-15-2016, 01:30 PM

Hi,

NFS (at least old version) relies on additional random ports to work.
If I remember correctly, they are commented through out the /etc/sysconfig/nfs configuration file.
Edit it, uncomment the port lines. And make sure you allow them all in your iptables INPUT rules.

Sorry, I am not accurate, long time I worked on RHEL 6 or clones.
My suggestion is: upgrade to CentOS 7.

tshikose · 06-15-2016, 01:31 PM

I think you also need to allow 2049/udp port as some old NFS clients work on UDP.

lazydog · 06-15-2016, 01:56 PM

This might help you.

Tutorial – Configure IPTables for NFS Server on CentOS 6

procfs · 06-15-2016, 10:32 PM

Hi Guys, thank you for the reply and I just got back to off and will try and updat you

Thanks and Best Regards

procfs · 06-15-2016, 11:40 PM

Hi Guys your replies helped me to narrow down the matter, the problem was the placing of the reject all rual

,

-A INPUT -j REJECT --reject-with icmp-host-prohibited

Thank you and best of regards

lazydog · 06-16-2016, 09:48 AM

That is your last rule? If things got that far you are missing other rules that are needed.

Post your firewall rules and we will see if we can figure out where the problem lies.

procfs · 06-27-2016, 03:17 AM

Hi Lazboy, this I overlooked fault on my side

Thanks and Best Regards