Wednesday, December 19, 2007

Export NFS through Firewall

rpcinfo -p will list nfs ports used

copy the following from http://linux.derkeiler.com/Mailing-Lists/Fedora/2007-07/msg02399.html

1) You must have ports 2049 tcp+udp and 111 tcp+udp open in the nfs
server firewall to allow clients to talk to nfs and portmap, respectively.

2) There are a number of other daemons on the server, associated with
nfs, namely rpc.statd, rpc.lockd, rpc.mountd and rpc.quotad. These must
also be accessible to the clients. By default these start on random
ports, which the firewall couldn't care less about. So to allow clients
to get to the rpc services you must
2a) force the rpc services to start on pre-assigned ports of your
choice, like 4000 to 4003.
2b) open ports 4000-4003 tcp+udp in the firewall (or whatever
ports you used at (2a).


Now, here is how you do all this. You implement 2a by creating a file
/etc/sysconfig/nfs with the following contents:

STATD_PORT=4000
LOCKD_TCPPORT=4001
LOCKD_UDPPORT=4001
MOUNTD_PORT=4002
RQUOTAD_PORT=4003

Restart nfs.


The rest is opening ports into the server firewall, which is a separate
matter. On the server, something like

/sbin/iptables -I RH-Firewall-1-INPUT 10 -s 192.168.1.0/255.255.255.0 -p
tcp -m state --state NEW -m tcp --dport 4000:4003 -j ACCEPT

will insert a rule at position 10 (if 10 is the position you want) in the
RH firewall that opens the range 4000-4003 for incoming tcp connections
from the local network. Run then the above command again with udp instead
of tcp. Do the same (tcp+udp) for ports 111 and 2049. Finally, save the
new firewall configuration

/sbin/iptables-save > /etc/sysconfig/iptables # after backing up old
iptables first.

and restart iptables

/etc/rc.d/init.d/iptables restart