Re: Export NFS through firewall

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 12 Jul 2007 18:58:29 -0700, Joseph Loo wrote:

> I am fairly new to this list and fedora 7. I have been trying to export
> an NFS drive outside the machine. I have checked to make sure the mount
> is working, by doing ls /net/orion. It shows the drive without any
> problem.
> 
> I use the administrator menu firewall and SELINUX and checked off the
> NFS item. I rebooted the machine an a freign machine is not able to see
> the drive. I open up the service and stopped iptables, and the directoy
> appears on the foreign machine with no problem. restarted iptables, and
> the directory disappears.
> 
> My first question is how do i change the firewall rules to allow it
> through? Is there a site that gives examples on opening this portion of
> the firewall?
> 
> --
> Joseph Loo
> jloo@xxxxxxx



This is what you need to know/do:

1) You must have ports 2049 tcp+udp and 111 tcp+udp open in the nfs 
server firewall to allow clients to talk to nfs and portmap, respectively.
 
2) There are a number of other daemons on the server, associated with 
nfs, namely rpc.statd, rpc.lockd, rpc.mountd and rpc.quotad. These must 
also be accessible to the clients. By default these start on random 
ports, which the firewall couldn't care less about. So to allow clients 
to get to the rpc services you must
	2a) force the rpc services to start on pre-assigned ports of your 
choice, like 4000 to 4003.
	2b) open ports 4000-4003 tcp+udp in the firewall (or whatever 
ports you used at (2a).


Now, here is how you do all this. You implement 2a by creating a file 
/etc/sysconfig/nfs with the following contents:

STATD_PORT=4000
LOCKD_TCPPORT=4001
LOCKD_UDPPORT=4001
MOUNTD_PORT=4002
RQUOTAD_PORT=4003

Restart nfs.


The rest is opening ports into the server firewall, which is a separate 
matter. On the server, something like 

/sbin/iptables -I RH-Firewall-1-INPUT 10 -s 192.168.1.0/255.255.255.0 -p 
tcp -m state --state NEW -m tcp --dport 4000:4003 -j ACCEPT

will insert a rule at position 10 (if 10 is the position you want) in the 
RH firewall that opens the range 4000-4003 for incoming tcp connections 
from the local network. Run then the above command again with udp instead 
of tcp. Do the same (tcp+udp) for ports 111 and 2049. Finally, save the 
new firewall configuration 

/sbin/iptables-save > /etc/sysconfig/iptables  # after backing up old 
iptables first.

and restart iptables

/etc/rc.d/init.d/iptables restart






[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux