|
|
|
Howto lock NFSv3 to static TCP ports
|
|
|
If you use Gentoo then you know what I'm talking about when I say that managing NFS access through iptables has been a bit of a pain. It seems like I'd get my rules dialed in and then a new version would come out and suddenly I couldn't mount anymore. I kept "fixing" this problem in iptables but decided that was just me being lazy. So, here is a procedure for NFSv3 over TCP with iptables. I was going to re-write it to be a little prettier, but, with as busy as I am, if I wait for that, it will never get done.
1) emerge a more recent nfs-utils. Version 1.0.12-r1 didn't have mount.nfs built for some freaking reason. So, edit /etc/portage/package.keywords and add
=net-fs/nfs-utils-1.1.1 ~x86
1) Make sure the kernel is built for NFSv3 support. I'm holding off on v4 until it's no longer labelled EXPERIMENTAL
| | NFS file system support | |
| | [*] Provide NFSv3 client support | |
| | [ ] Provide client support for the NFSv3 ACL protocol extension | |
| | [ ] Provide NFSv4 client support (EXPERIMENTAL) | |
| | [ ] Allow direct I/O on NFS files | |
| | NFS server support | |
| | [*] Provide NFSv3 server support | |
| | [ ] Provide server support for the NFSv3 ACL protocol extension | |
| | [ ] Provide NFSv4 server support (EXPERIMENTAL) | |
| | [*] Provide NFS server over TCP support | |
Also make sure you have TCP support
2) Edit /etc/sysctl.conf
# You should compile nfsd into the kernel or add it
# to modules.autoload for this to work properly
# TCP Port for lock manager
fs.nfs.nlm_tcpport = 4001
NOTE: The UDP port config didn't work for me, but I'm fine with
Run ysctl -p /etc/sysctl.conf
3) Make sure that nfsd is in modules.autoload.d or built into the kernel
4) edit /etc/conf.d/nfs to bind the other ports. All I changed was the following:
OPTS_RPC_MOUNTD="-p 32767"
OPTS_RPC_STATD="-p 32765 -o 32766"
5) /etc/init.d/nfs restart
NOTE: If you have weirdness here. Make sure that
a) No rpc.* processes are still running from before
b) /var/lib/nfs/state is writeable by the nobody user
6) Now, we should be able to use iptables to lock NFS down to the following ports
tcp 111 - portmapper
tcp 2049 - nfs
tcp 4001 - nlockmgr
tcp 32765-32767 - status and mountd
Like so:
#NFS
iptables -A INPUT -s $LAN -m state --state NEW -p tcp --dport 111 -j ACCEPT
iptables -A INPUT -s $LAN -m state --state NEW -p tcp --dport 2049 -j ACCEPT
iptables -A INPUT -s $LAN -m state --state NEW -p tcp --dport 4001 -j ACCEPT
iptables -A INPUT -s $LAN -m state --state NEW -p tcp --dport 32765:32767 -j ACCEPT
|
|
