On Thu, 12 Jul 2007 18:58:29 -0700, Joseph Loo wrote: > I am fairly new to this list and fedora 7. I have been trying to export > an NFS drive outside the machine. I have checked to make sure the mount > is working, by doing ls /net/orion. It shows the drive without any > problem. > > I use the administrator menu firewall and SELINUX and checked off the > NFS item. I rebooted the machine an a freign machine is not able to see > the drive. I open up the service and stopped iptables, and the directoy > appears on the foreign machine with no problem. restarted iptables, and > the directory disappears. > > My first question is how do i change the firewall rules to allow it > through? Is there a site that gives examples on opening this portion of > the firewall? > > -- > Joseph Loo > jloo@xxxxxxx This is what you need to know/do: 1) You must have ports 2049 tcp+udp and 111 tcp+udp open in the nfs server firewall to allow clients to talk to nfs and portmap, respectively. 2) There are a number of other daemons on the server, associated with nfs, namely rpc.statd, rpc.lockd, rpc.mountd and rpc.quotad. These must also be accessible to the clients. By default these start on random ports, which the firewall couldn't care less about. So to allow clients to get to the rpc services you must 2a) force the rpc services to start on pre-assigned ports of your choice, like 4000 to 4003. 2b) open ports 4000-4003 tcp+udp in the firewall (or whatever ports you used at (2a). Now, here is how you do all this. You implement 2a by creating a file /etc/sysconfig/nfs with the following contents: STATD_PORT=4000 LOCKD_TCPPORT=4001 LOCKD_UDPPORT=4001 MOUNTD_PORT=4002 RQUOTAD_PORT=4003 Restart nfs. The rest is opening ports into the server firewall, which is a separate matter. On the server, something like /sbin/iptables -I RH-Firewall-1-INPUT 10 -s 192.168.1.0/255.255.255.0 -p tcp -m state --state NEW -m tcp --dport 4000:4003 -j ACCEPT will insert a rule at position 10 (if 10 is the position you want) in the RH firewall that opens the range 4000-4003 for incoming tcp connections from the local network. Run then the above command again with udp instead of tcp. Do the same (tcp+udp) for ports 111 and 2049. Finally, save the new firewall configuration /sbin/iptables-save > /etc/sysconfig/iptables # after backing up old iptables first. and restart iptables /etc/rc.d/init.d/iptables restart
