Hi.
I have an Oracle Linux 6.1 (clone of Red Hat) server on which I have an NFS 4 share configured.
The server's IP is 10.10.10.43 on eth0, and I have an IP alias/VIP 10.10.10.103 on eth0:1, which is on the same subnet.
Code:
10.10.10.43 ux061t # nodename
10.10.10.103 nfs-b # VIP for NFS
I want to have it so that clients can only attach to NFS when talking to 10.10.10.103, but can't quite get it to work and could use a bit of help.
My /etc/exports is.
Code:
/app/share *(ro,sync,no_subtree_check,fsid=0)
/app/share/nfs-b 10.10.10.*/23(rw,sync,no_subtree_check,root_squash,fsid=1)
I've got NFS set to only use NFS 4 and to run over the usual specific ports (by uncommenting the appropriate lines in /etc/sysconfig/nfs).
Code:
LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
RPCNFSDARGS="-N 2 -N 3"
MOUNTD_PORT=892
STATD_PORT=662
I've configured iptables to allow clients to connect from my subnet and have attempted to restrict the interface used by specifying -i and -d options (NB. iptables doesn't support specifying "-i eth0:1", which would have been great).
Code:
-A INPUT -m state --state NEW -p udp -m udp --dport 111 -i eth0 -d 10.10.10.103/23 -s 10.10.10.0/23 -j ACCEPT
-A INPUT -m state --state NEW -p tcp -m tcp --dport 111 -i eth0 -d 10.10.10.103/23 -s 10.10.10.0/23 -j ACCEPT
-A INPUT -m state --state NEW -p udp -m udp --dport 662 -i eth0 -d 10.10.10.103/23 -s 10.10.10.0/23 -j ACCEPT
-A INPUT -m state --state NEW -p tcp -m tcp --dport 662 -i eth0 -d 10.10.10.103/23 -s 10.10.10.0/23 -j ACCEPT
-A INPUT -m state --state NEW -p udp -m udp --dport 875 -i eth0 -d 10.10.10.103/23 -s 10.10.10.0/23 -j ACCEPT
-A INPUT -m state --state NEW -p tcp -m tcp --dport 875 -i eth0 -d 10.10.10.103/23 -s 10.10.10.0/23 -j ACCEPT
-A INPUT -m state --state NEW -p udp -m udp --dport 892 -i eth0 -d 10.10.10.103/23 -s 10.10.10.0/23 -j ACCEPT
-A INPUT -m state --state NEW -p tcp -m tcp --dport 892 -i eth0 -d 10.10.10.103/23 -s 10.10.10.0/23 -j ACCEPT
-A INPUT -m state --state NEW -p udp -m udp --dport 2049 -i eth0 -d 10.10.10.103/23 -s 10.10.10.0/23 -j ACCEPT
-A INPUT -m state --state NEW -p tcp -m tcp --dport 2049 -i eth0 -d 10.10.10.103/23 -s 10.10.10.0/23 -j ACCEPT
-A INPUT -m state --state NEW -p udp -m udp --dport 32769 -i eth0 -d 10.10.10.103/23 -s 10.10.10.0/23 -j ACCEPT
-A INPUT -m state --state NEW -p tcp -m tcp --dport 32803 -i eth0 -d 10.10.10.103/23 -s 10.10.10.0/23 -j ACCEPT
I can mount filesystems on a client, either manually, via fstab entries, or via automounter).
But the issue I have is that clients can mount from either the server's IP or the VIP.
Code:
nfs-b:/nfs-b 20G 3.7G 15G 20% /tmp/good
ux061t:/nfs-b 20G 3.7G 15G 20% /tmp/bad
I want to make it so only the VIP can be used.
The background is that we need to be able to move the share to another host, either manually or under cluster control, and whilst we could attempt to impose a discipline where the clients must specify the VIP, I want to be absolutely certain that only the VIP is used and that attempted mounts using the underlying servername or IP address fail.
It would be great to get some pointers on this - thanks!