When it comes to firewalling services, NFS has to be one of the most complex to get operational. By default the various NFS services (lockd, statd, mountd, etc.) will request random port assignments from the portmapper (portmap), which means that most administrators need to open up a range of ports in their firewall rule base to get NFS working. On Linux hosts there is a simple way to firewall NFS services, and I thought I would walk through how I got iptables and my NFS server to work together.
Getting NFS working with iptables is a three step process:
To hard strap the ports that the various NFS services will use, you can assign your preferred ports to the MOUNTD_PORT, STATD_PORT, LOCKD_TCPPORT, LOCKD_UDPPORT, RQUOTAD_PORT and STATD_OUTGOING_PORT variables in /etc/sysconfig/nfs. Here are the settings I am using on my server:
MOUNTD_PORT="10050" STATD_PORT="10051" LOCKD_TCPPORT="10052" LOCKD_UDPPORT="10052" RQUOTAD_PORT="10053" STATD_OUTGOING_PORT="10054"
Once ports have been assigned, you will need to restart the portmap and nfs services to pick up the changes:
service portmap restart
Stopping portmap: [ OK ] Starting portmap: [ OK ]
service nfslock restart
Stopping NFS locking: [ OK ] Stopping NFS statd: [ OK ] Starting NFS statd: [ OK ]
service nfs restart
Shutting down NFS mountd: [ OK ] Shutting down NFS daemon: [ OK ] Shutting down NFS quotas: [ OK ] Shutting down NFS services: [ OK ] Starting NFS services: [ OK ] Starting NFS quotas: [ OK ] Starting NFS daemon: [ OK ] Starting NFS mountd: [ OK ]
If you query the portmap daemon with rpcinfo, you will see that the various services are now registered on the ports that were assigned in /etc/sysconfig/nfs:
program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100024 1 udp 10051 status 100024 1 tcp 10051 status 100011 1 udp 10053 rquotad 100011 2 udp 10053 rquotad 100011 1 tcp 10053 rquotad 100011 2 tcp 10053 rquotad 100003 2 udp 2049 nfs 100003 3 udp 2049 nfs 100003 4 udp 2049 nfs 100021 1 udp 10052 nlockmgr 100021 3 udp 10052 nlockmgr 100021 4 udp 10052 nlockmgr 100021 1 tcp 10052 nlockmgr 100021 3 tcp 10052 nlockmgr 100021 4 tcp 10052 nlockmgr 100003 2 tcp 2049 nfs 100003 3 tcp 2049 nfs 100003 4 tcp 2049 nfs 100005 1 udp 10050 mountd 100005 1 tcp 10050 mountd 100005 2 udp 10050 mountd 100005 2 tcp 10050 mountd 100005 3 udp 10050 mountd 100005 3 tcp 10050 mountd
Next up, we need to adjust the appropriate iptables chains to allow inbound connections to the NFS service ports. Here are the entries I added to /etc/sysconfig/iptables to allow NFS to work with iptables:
# Portmap ports -A INPUT -m state --state NEW -p tcp --dport 111 -j ACCEPT -A INPUT -m state --state NEW -p udp --dport 111 -j ACCEPT # NFS daemon ports -A INPUT -m state --state NEW -p tcp --dport 2049 -j ACCEPT -A INPUT -m state --state NEW -p udp --dport 2049 -j ACCEPT # NFS mountd ports -A INPUT -m state --state NEW -p udp --dport 10050 -j ACCEPT -A INPUT -m state --state NEW -p tcp --dport 10050 -j ACCEPT # NFS status ports -A INPUT -m state --state NEW -p udp --dport 10051 -j ACCEPT -A INPUT -m state --state NEW -p tcp --dport 10051 -j ACCEPT # NFS lock manager ports -A INPUT -m state --state NEW -p udp --dport 10052 -j ACCEPT -A INPUT -m state --state NEW -p tcp --dport 10052 -j ACCEPT # NFS rquotad ports -A INPUT -m state --state NEW -p udp --dport 10053 -j ACCEPT -A INPUT -m state --state NEW -p tcp --dport 10053 -j ACCEPT
Then I restarted iptables:
service iptables restart
Flushing firewall rules: [ OK ] Setting chains to policy ACCEPT: filter [ OK ] Unloading iptables modules: [ OK ] Applying iptables firewall rules: [ OK ]
In addition to the rules listed above, I have entries to track state (using the conntrack module) and allow established connections. If everything went as expected, you should be able to mount your file systems without issue. To debug issues, you can use the following steps:
With just a few steps, you can get NFS working with iptables. If you have any suggestions or comments, feel free to leave me a comment! I’d love to hear folks thoughts on this.