Firewalling a Linux NFS server with iptables


When it comes to firewalling services, NFS has to be one of the most complex to get operational. By default the various NFS services (lockd, statd, mountd, etc.) will request random port assignments from the portmapper (portmap), which means that most administrators need to open up a range of ports in their firewall rule base to get NFS working. On Linux hosts there is a simple way to firewall NFS services, and I thought I would walk through how I got iptables and my NFS server to work together.

Getting NFS working with iptables is a three step process:

  1. Hard strap the ports the NFS daemons use in /etc/sysconfig/nfs.
  2. Add the ports from step 1 to your iptables chains.
  3. Restart the portmap, nfs and iptables services to pick up the changes.

To hard strap the ports that the various NFS services will use, you can assign your preferred ports to the MOUNTD_PORT, STATD_PORT, LOCKD_TCPPORT, LOCKD_UDPPORT, RQUOTAD_PORT and STATD_OUTGOING_PORT variables in /etc/sysconfig/nfs. Here are the settings I am using on my server:

MOUNTD_PORT="10050"
STATD_PORT="10051"
LOCKD_TCPPORT="10052"
LOCKD_UDPPORT="10052"
RQUOTAD_PORT="10053"
STATD_OUTGOING_PORT="10054"

Once ports have been assigned, you will need to restart the portmap and nfs services to pick up the changes:

$ service portmap restart

Stopping portmap: [ OK ]
Starting portmap: [ OK ]

$ service nfslock restart

Stopping NFS locking: [ OK ]
Stopping NFS statd: [ OK ]
Starting NFS statd: [ OK ]

$ service nfs restart

Shutting down NFS mountd: [ OK ]
Shutting down NFS daemon: [ OK ]
Shutting down NFS quotas: [ OK ]
Shutting down NFS services: [ OK ]
Starting NFS services: [ OK ]
Starting NFS quotas: [ OK ]
Starting NFS daemon: [ OK ]
Starting NFS mountd: [ OK ]

If you query the portmap daemon with rpcinfo, you will see that the various services are now registered on the ports that were assigned in /etc/sysconfig/nfs:

$ rpcinfo -p

program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 10051 status
100024 1 tcp 10051 status
100011 1 udp 10053 rquotad
100011 2 udp 10053 rquotad
100011 1 tcp 10053 rquotad
100011 2 tcp 10053 rquotad
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100021 1 udp 10052 nlockmgr
100021 3 udp 10052 nlockmgr
100021 4 udp 10052 nlockmgr
100021 1 tcp 10052 nlockmgr
100021 3 tcp 10052 nlockmgr
100021 4 tcp 10052 nlockmgr
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100005 1 udp 10050 mountd
100005 1 tcp 10050 mountd
100005 2 udp 10050 mountd
100005 2 tcp 10050 mountd
100005 3 udp 10050 mountd
100005 3 tcp 10050 mountd

Next up, we need to adjust the appropriate iptables chains to allow inbound connections to the NFS service ports. Here are the entries I added to /etc/sysconfig/iptables to allow NFS to work with iptables:

# Portmap ports
-A INPUT -m state --state NEW -p tcp --dport 111 -j ACCEPT
-A INPUT -m state --state NEW -p udp --dport 111 -j ACCEPT
# NFS daemon ports
-A INPUT -m state --state NEW -p tcp --dport 2049 -j ACCEPT
-A INPUT -m state --state NEW -p udp --dport 2049 -j ACCEPT
# NFS mountd ports
-A INPUT -m state --state NEW -p udp --dport 10050 -j ACCEPT
-A INPUT -m state --state NEW -p tcp --dport 10050 -j ACCEPT
# NFS status ports
-A INPUT -m state --state NEW -p udp --dport 10051 -j ACCEPT
-A INPUT -m state --state NEW -p tcp --dport 10051 -j ACCEPT
# NFS lock manager ports
-A INPUT -m state --state NEW -p udp --dport 10052 -j ACCEPT
-A INPUT -m state --state NEW -p tcp --dport 10052 -j ACCEPT
# NFS rquotad ports
-A INPUT -m state --state NEW -p udp --dport 10053 -j ACCEPT
-A INPUT -m state --state NEW -p tcp --dport 10053 -j ACCEPT

Then I restarted iptables:

$ service iptables restart

Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]

In addition to the rules listed above, I have entries to track state (using the conntrack module) and allow established connections. If everything went as expected, you should be able to mount your file systems without issue. To debug issues, you can use the following steps:

  1. Add a LOG statement to your iptables INPUT chain to log drop packets.
  2. Run tcpdump -i host X.X.X.X (host should be the client IP that is trying to mount / access your exported file system) and check to see if connections are making it to the NFS server.
  3. Run rpcinfo -p to see if the correct ports were assigned.

With just a few steps, you can get NFS working with iptables. If you have any suggestions or comments, feel free to leave me a comment! I’d love to hear folks thoughts on this.

This article was posted by Matty on 2010-11-02 20:44:00 -0400 EDT