Friday, July 8, 2011

Iptables for NFS server

Step 1

 To enable NFS clients to access NFS server we need to enable the following services.

a] TCP/UDP 111 - RPC 4.0 portmapper
b] TCP/UDP 2049 - NFSD (nfs server)
c] Portmap static ports - Dynamic ports defined in /etc/sysconfig/nfs file.

 Port mapper assigns each NFS service to a port dynamically at service startup time. Dynamic ports cannot be protected by port filtering firewalls such as iptables. So we need to configure static ports for port map service

Edit /etc/sysconfig/nfs and add the below mentioned lines

#vim /etc/sysconfig/nfs

RQUOTAD_PORT=875
LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
STATD_PORT=662
STATD_OUTGOING_PORT=2020

 
Save the file and restart the service

# service portmap restart
# service nfs restart
# service rpcsvcgssd restart

Step 2

IP tables configuration for nfs

#iptables -A INPUT -p tcp --dport 110 -j ACCEPT
#iptables -A INPUT -p udp --dport 110 -j ACCEPT
#iptables -A INPUT -p tcp --dport 2049 -j ACCEPT
#iptables -A INPUT -p tcp --dport 662 -j ACCEPT
#iptables -A INPUT -p udp --dport 662 -j ACCEPT
#iptables -A INPUT -p tcp --dport 875 -j ACCEPT
#iptables -A INPUT -p udp --dport 875 -j ACCEPT
#iptables -A INPUT -p tcp --dport 892 -j ACCEPT
#iptables -A INPUT -p udp --dport 892 -j ACCEPT
#iptables -A INPUT -p tcp --dport 32803 -j ACCEPT
#iptables -A INPUT -p udp --dport 32769 -j ACCEPT

Now Save and restart iptables
# iptables-save > /etc/sysconfig/iptables
or
#service iptables save

#service iptables restart

Also you can manually edit and /etc/sysconfig/iptables and add the below mentioned line

-A INPUT -p tcp -m tcp --dport  110 -j ACCEPT
-A INPUT -p udp -m udp --dport  110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport  662 -j ACCEPT
-A INPUT -p udp -m udp --dport  662 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport  875 -j ACCEPT
-A INPUT -p udp -m udp --dport  875 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport  892 -j ACCEPT
-A INPUT -p udp -m udp --dport  892 -j ACCEPT
-A INPUT -p tcp -m tcp --dport  2049 -j ACCEPT
-A INPUT -p tcp -m tcp --dport  32803 -j ACCEPT
-A INPUT -p udp -m udp --dport  32769 -j ACCEPT

#service iptables restart

For other document refer the below links:
 
iptables basic configuration
iptables for samba, squid