Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Howto configure iptables to work with NFS

Posted on 2008-09-30
Medium Priority
Last Modified: 2013-12-06
I am using NFS to share directories with a few other servers on my LAN. I am unable to successfully share these directories unless I disable iptables. I have seen some documentation floating about regarding some steps that need to be taken in order to allow iptables to correctly allow portmapping and NFS to work as needed. However,  the documentation is not consistent with my environment. I do not have a /etc/sysconfig/nfs in order to define my nfs ports. RHES4 uses NFSv3. I am unaware if this OS will support v4. I understand v4 does not require portmapper service. Sounds like an improvement.

In any case, I could sure use some help as need to get this server locked down.
Question by:dan_venable
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
LVL 19

Expert Comment

ID: 22616527
If you have the standard iptables rules you can use system-config-securitylevel which may be the easiest option.


Author Comment

ID: 22617566
The system-config-securitylevel  utility only allows for the trusted services of HTTP, FTP, SSH, Telnet, and SMTP. I have the option to open other ports but that is the heart of my issue. What ports need to be opened in order to make NFS work with the firewall?

Author Comment

ID: 22653591
I allowed for ports UDP and TCP 2049 to be open. This worked for one of my two NFS client machines but not the other. NSF host is RHES4. NFS client RHES4 is working. NFS client RHWS4 is not working and message log states:
Oct  6 11:37:49 localhost automount[6246]: >> mount: mount to NFS server '' failed: System Error: No route to host.
Oct  6 11:37:49 localhost automount[6246]: mount(nfs): nfs: mount failure on /zodiac/z_data
Oct  6 11:37:49 localhost automount[6246]: failed to mount /zodiac/z_data

If I stop iptables service on host, then both clients can again connect. Any thoughts would be appreciated.
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

LVL 19

Expert Comment

ID: 22654288
Strange, mine has an option for NFS..

Anyway... The 2049 seems to be the right port, at least on my system.

I'm guessing this;
> Oct  6 11:37:49 localhost automount[6246]: >> mount: mount to NFS server '' failed: System Error: No route to host.

With the no route to host is more of a network routing issue, check your routing and connectivity then give it another go.

Author Comment

ID: 22654328
I cannot think it is a network issue on the client as much as it is a firewall issue on the NFS host. As soon as I disable the IPtables service on the NSF host, the problem client is then able to connect to the share without issue.

LVL 19

Expert Comment

ID: 22654344

Can you post the firewall rules and network config for the system having issues, we'll have a butchers.

Author Comment

ID: 22661756
Hi Jools,

Thanks for getting back to me but I am happy to say I have resolved the problem. I found the needed info in the below link. It describes, in great clarity, what must be done to get you nsf server and iptables to play nice.


Just in case this link goes away, the content of the link is pated below,

How can I configure a system as an NFS server which sits behind a firewall with NFS clients outside of the firewall?
by Bradford Hinson

NFS relies on portmap to assign the ports on which it will listen. One side effect of this is that the ports are randomly assigned, so each time NFS is restarted the ports will change. This can make it difficult to run an NFS server behind a firewall which only allows access to specific ports on the system.

The first step is to assign a permanent port number to each of the NFS services (rquotad, mountd, statd, and lockd). While they can use any unused ports greater than 1024, it is recommended that you first consult the file /etc/services to find a valid unused port range. The following examples use the range 10000-10005.

The majority of the ports are configured through the file /etc/sysconfig/nfs. You will need to create this file if it does not exist. It should look similar to the following example:

# NFS port numbers

The lockd service is configured differently from the others because it is compiled as a kernel module. To set the port which lockd uses, add a line similar to the following to the end of /etc/modprobe.conf:

options lockd nlm_tcpport=10000 nlm_udpport=10001

In order for the changes to take effect, the module must be reloaded if it is already in use. You can use the commands rmmod and modprobe to reload the lockd module; however if there are module dependencies currently in use, a system restart may be required.

After these configuration changes, you can view the port assignments with the rpcinfo -p <hostname> command:

   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100021    1   udp  10001  nlockmgr
    100021    3   udp  10001  nlockmgr
    100021    4   udp  10001  nlockmgr
    100021    1   tcp  10000  nlockmgr
    100021    3   tcp  10000  nlockmgr
    100021    4   tcp  10000  nlockmgr
    100024    1   udp  10002  status
    100024    1   tcp  10002  status
    100011    1   udp  10005  rquotad
    100011    2   udp  10005  rquotad
    100011    1   tcp  10005  rquotad
    100011    2   tcp  10005  rquotad
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    4   udp   2049  nfs
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100005    1   udp  10004  mountd
    100005    1   tcp  10004  mountd
    100005    2   udp  10004  mountd
    100005    2   tcp  10004  mountd
    100005    3   udp  10004  mountd
    100005    3   tcp  10004  mountd

At this point, the ports will remain the same when NFS is restarted. The following is a list of ports which need to be opened on the firewall:

    * 111: portmap (tcp/udp)
    * 2049: nfs (tcp/udp)
    * 10000: example lockd (tcp)
    * 10001: example lockd (udp)
    * 10002: example statd/status (tcp/udp)
    * 10003: example statd/status outgoing (tcp/udp)
    * 10004: example mountd (tcp/udp)
    * 10005: example rquotad (tcp/udp)

You can now open these ports on the firewall to allow remote clients to mount a share on the server. If you are using iptables, the following commands can be used to add inbound/outbound rules to allow access to these ports. Note that this is only an example, as your specific firewall rules may differ:

iptables -A INPUT -p tcp -m tcp --dport 111 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 111 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 2049 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 2049 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 10001 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 10002:10005 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 10002:10005 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
iptables -A OUTPUT -p tcp -m tcp --dport 111 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 111 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 2049 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 2049 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 10000 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 10001 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 10002:10005 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 10002:10005 -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable

LVL 19

Accepted Solution

jools earned 1000 total points
ID: 22661884
Nice one Dan.

No need to wait to close the call, go right ahead.

Jools :-)
LVL 19

Expert Comment

ID: 22663713
Hi Dan,

Thanks for the points but I thought the question was going to be closed.

If you didnt mean to accept as answer please feel free to contact the moderators (or whoever it is) and get the question closed and points refunded.

All the best.


Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you ever stumbled upon a software that is so great that you just love? It happened to me. Love at first sight. Filezilla Server.   Ok its not the most advanced ftp server I've came across. But its a fairly simple piece of software to get the …
In my business, I use the LTS (Long Term Support) versions of Linux. My workstations do real work, and so I rarely have the patience to deal with silly problems caused by an upgraded kernel that had experimental software on it to begin with from a r…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question