Question

Howto configure iptables to work with NFS

Asked by: dan_venable

I am using NFS to share directories with a few other servers on my LAN. I am unable to successfully share these directories unless I disable iptables. I have seen some documentation floating about regarding some steps that need to be taken in order to allow iptables to correctly allow portmapping and NFS to work as needed. However,  the documentation is not consistent with my environment. I do not have a /etc/sysconfig/nfs in order to define my nfs ports. RHES4 uses NFSv3. I am unaware if this OS will support v4. I understand v4 does not require portmapper service. Sounds like an improvement.

In any case, I could sure use some help as need to get this server locked down.

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2008-09-30 at 17:41:42ID23776637
Tags

RedHat

,

Enterprise Server 4

,

4

,

howto configure iptables to work with NFS

Topics

NFS File Server

,

Red Hat Linux

,

IP Tables/IP Chains

Participating Experts
1
Points
250
Comments
9

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. iptables and mrtg
    Dear All, I am trying to install mrtg in my redhat server, however it failed. I suspect it is the iptables rules block the port, the rules are shown below, if yes, how can I add a rule so that I can generate mrtg report of this server from another server (another IP, eg, 205...
  2. NFS through IPTABLES filewall
    When I set IPTABLES to the default state NFS works file, but as soon as I enable our rule set connectivity is lost. I understand that 111 and 2049 must be open but are there other ports? Here is a copy of our current firewall. # Firewall configuration written by system-confi...
  3. iptables
    Hello, I want to access iptables table it always return Permission denied *************** # /etc/sysconfig/iptables -L bash: /etc/sysconfig/iptables: Permission denied # ls -ali /etc/sysconfig/iptables 180913 -rw------- 1 root root 2576 2008-03-14 14:51 /etc/sysconfig/iptabl...
  4. Problems mounting a NFS share with IPtables turned on
    Hello, I having problems mounting a NFS share with IPtables turned on. When IPtables is turned off I can mount the share just fine. I locked down ports for mountd, portmap, nfs, rquotad, and nlockmgr. I included the ports inbound and outbound within iptables. Am I missin...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: joolsPosted on 2008-10-01 at 10:04:10ID: 22616527

If you have the standard iptables rules you can use system-config-securitylevel which may be the easiest option.

 

by: dan_venablePosted on 2008-10-01 at 11:38:40ID: 22617566

The system-config-securitylevel  utility only allows for the trusted services of HTTP, FTP, SSH, Telnet, and SMTP. I have the option to open other ports but that is the heart of my issue. What ports need to be opened in order to make NFS work with the firewall?

 

by: dan_venablePosted on 2008-10-06 at 12:36:43ID: 22653591

I allowed for ports UDP and TCP 2049 to be open. This worked for one of my two NFS client machines but not the other. NSF host is RHES4. NFS client RHES4 is working. NFS client RHWS4 is not working and message log states:
Oct  6 11:37:49 localhost automount[6246]: >> mount: mount to NFS server '192.168.0.22' failed: System Error: No route to host.
Oct  6 11:37:49 localhost automount[6246]: mount(nfs): nfs: mount failure 192.168.0.22:/data on /zodiac/z_data
Oct  6 11:37:49 localhost automount[6246]: failed to mount /zodiac/z_data

If I stop iptables service on host, then both clients can again connect. Any thoughts would be appreciated.

 

by: joolsPosted on 2008-10-06 at 13:48:33ID: 22654288

Strange, mine has an option for NFS..

Anyway... The 2049 seems to be the right port, at least on my system.

I'm guessing this;
> Oct  6 11:37:49 localhost automount[6246]: >> mount: mount to NFS server '192.168.0.22' failed: System Error: No route to host.

With the no route to host is more of a network routing issue, check your routing and connectivity then give it another go.

 

by: dan_venablePosted on 2008-10-06 at 13:53:37ID: 22654328

I cannot think it is a network issue on the client as much as it is a firewall issue on the NFS host. As soon as I disable the IPtables service on the NSF host, the problem client is then able to connect to the share without issue.

 

by: joolsPosted on 2008-10-06 at 13:55:21ID: 22654344

hmmm...

Can you post the firewall rules and network config for the system having issues, we'll have a butchers.

 

by: dan_venablePosted on 2008-10-07 at 10:51:01ID: 22661756

Hi Jools,

Thanks for getting back to me but I am happy to say I have resolved the problem. I found the needed info in the below link. It describes, in great clarity, what must be done to get you nsf server and iptables to play nice.

http://www.redhat.com/magazine/010aug05/departments/tips_tricks/

Just in case this link goes away, the content of the link is pated below,

How can I configure a system as an NFS server which sits behind a firewall with NFS clients outside of the firewall?
by Bradford Hinson

Symptom:
NFS relies on portmap to assign the ports on which it will listen. One side effect of this is that the ports are randomly assigned, so each time NFS is restarted the ports will change. This can make it difficult to run an NFS server behind a firewall which only allows access to specific ports on the system.

Solution:
The first step is to assign a permanent port number to each of the NFS services (rquotad, mountd, statd, and lockd). While they can use any unused ports greater than 1024, it is recommended that you first consult the file /etc/services to find a valid unused port range. The following examples use the range 10000-10005.

The majority of the ports are configured through the file /etc/sysconfig/nfs. You will need to create this file if it does not exist. It should look similar to the following example:

# NFS port numbers
STATD_PORT=10002
STATD_OUTGOING_PORT=10003
MOUNTD_PORT=10004
RQUOTAD_PORT=10005

The lockd service is configured differently from the others because it is compiled as a kernel module. To set the port which lockd uses, add a line similar to the following to the end of /etc/modprobe.conf:

options lockd nlm_tcpport=10000 nlm_udpport=10001

In order for the changes to take effect, the module must be reloaded if it is already in use. You can use the commands rmmod and modprobe to reload the lockd module; however if there are module dependencies currently in use, a system restart may be required.

After these configuration changes, you can view the port assignments with the rpcinfo -p <hostname> command:

   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100021    1   udp  10001  nlockmgr
    100021    3   udp  10001  nlockmgr
    100021    4   udp  10001  nlockmgr
    100021    1   tcp  10000  nlockmgr
    100021    3   tcp  10000  nlockmgr
    100021    4   tcp  10000  nlockmgr
    100024    1   udp  10002  status
    100024    1   tcp  10002  status
    100011    1   udp  10005  rquotad
    100011    2   udp  10005  rquotad
    100011    1   tcp  10005  rquotad
    100011    2   tcp  10005  rquotad
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    4   udp   2049  nfs
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100005    1   udp  10004  mountd
    100005    1   tcp  10004  mountd
    100005    2   udp  10004  mountd
    100005    2   tcp  10004  mountd
    100005    3   udp  10004  mountd
    100005    3   tcp  10004  mountd

At this point, the ports will remain the same when NFS is restarted. The following is a list of ports which need to be opened on the firewall:

    * 111: portmap (tcp/udp)
    * 2049: nfs (tcp/udp)
    * 10000: example lockd (tcp)
    * 10001: example lockd (udp)
    * 10002: example statd/status (tcp/udp)
    * 10003: example statd/status outgoing (tcp/udp)
    * 10004: example mountd (tcp/udp)
    * 10005: example rquotad (tcp/udp)

You can now open these ports on the firewall to allow remote clients to mount a share on the server. If you are using iptables, the following commands can be used to add inbound/outbound rules to allow access to these ports. Note that this is only an example, as your specific firewall rules may differ:

iptables -A INPUT -p tcp -m tcp --dport 111 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 111 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 2049 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 2049 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 10001 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 10002:10005 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 10002:10005 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
iptables -A OUTPUT -p tcp -m tcp --dport 111 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 111 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 2049 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 2049 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 10000 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 10001 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 10002:10005 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 10002:10005 -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable


 

by: joolsPosted on 2008-10-07 at 11:04:21ID: 22661884

Nice one Dan.

No need to wait to close the call, go right ahead.

Jools :-)

 

by: joolsPosted on 2008-10-07 at 13:57:04ID: 22663713

Hi Dan,

Thanks for the points but I thought the question was going to be closed.

If you didnt mean to accept as answer please feel free to contact the moderators (or whoever it is) and get the question closed and points refunded.

All the best.

Jools

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...