• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2523
  • Last Modified:

Howto configure iptables to work with NFS

I am using NFS to share directories with a few other servers on my LAN. I am unable to successfully share these directories unless I disable iptables. I have seen some documentation floating about regarding some steps that need to be taken in order to allow iptables to correctly allow portmapping and NFS to work as needed. However,  the documentation is not consistent with my environment. I do not have a /etc/sysconfig/nfs in order to define my nfs ports. RHES4 uses NFSv3. I am unaware if this OS will support v4. I understand v4 does not require portmapper service. Sounds like an improvement.

In any case, I could sure use some help as need to get this server locked down.
  • 5
  • 4
1 Solution
If you have the standard iptables rules you can use system-config-securitylevel which may be the easiest option.

dan_venableAuthor Commented:
The system-config-securitylevel  utility only allows for the trusted services of HTTP, FTP, SSH, Telnet, and SMTP. I have the option to open other ports but that is the heart of my issue. What ports need to be opened in order to make NFS work with the firewall?
dan_venableAuthor Commented:
I allowed for ports UDP and TCP 2049 to be open. This worked for one of my two NFS client machines but not the other. NSF host is RHES4. NFS client RHES4 is working. NFS client RHWS4 is not working and message log states:
Oct  6 11:37:49 localhost automount[6246]: >> mount: mount to NFS server '' failed: System Error: No route to host.
Oct  6 11:37:49 localhost automount[6246]: mount(nfs): nfs: mount failure on /zodiac/z_data
Oct  6 11:37:49 localhost automount[6246]: failed to mount /zodiac/z_data

If I stop iptables service on host, then both clients can again connect. Any thoughts would be appreciated.
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

Strange, mine has an option for NFS..

Anyway... The 2049 seems to be the right port, at least on my system.

I'm guessing this;
> Oct  6 11:37:49 localhost automount[6246]: >> mount: mount to NFS server '' failed: System Error: No route to host.

With the no route to host is more of a network routing issue, check your routing and connectivity then give it another go.
dan_venableAuthor Commented:
I cannot think it is a network issue on the client as much as it is a firewall issue on the NFS host. As soon as I disable the IPtables service on the NSF host, the problem client is then able to connect to the share without issue.


Can you post the firewall rules and network config for the system having issues, we'll have a butchers.
dan_venableAuthor Commented:
Hi Jools,

Thanks for getting back to me but I am happy to say I have resolved the problem. I found the needed info in the below link. It describes, in great clarity, what must be done to get you nsf server and iptables to play nice.


Just in case this link goes away, the content of the link is pated below,

How can I configure a system as an NFS server which sits behind a firewall with NFS clients outside of the firewall?
by Bradford Hinson

NFS relies on portmap to assign the ports on which it will listen. One side effect of this is that the ports are randomly assigned, so each time NFS is restarted the ports will change. This can make it difficult to run an NFS server behind a firewall which only allows access to specific ports on the system.

The first step is to assign a permanent port number to each of the NFS services (rquotad, mountd, statd, and lockd). While they can use any unused ports greater than 1024, it is recommended that you first consult the file /etc/services to find a valid unused port range. The following examples use the range 10000-10005.

The majority of the ports are configured through the file /etc/sysconfig/nfs. You will need to create this file if it does not exist. It should look similar to the following example:

# NFS port numbers

The lockd service is configured differently from the others because it is compiled as a kernel module. To set the port which lockd uses, add a line similar to the following to the end of /etc/modprobe.conf:

options lockd nlm_tcpport=10000 nlm_udpport=10001

In order for the changes to take effect, the module must be reloaded if it is already in use. You can use the commands rmmod and modprobe to reload the lockd module; however if there are module dependencies currently in use, a system restart may be required.

After these configuration changes, you can view the port assignments with the rpcinfo -p <hostname> command:

   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100021    1   udp  10001  nlockmgr
    100021    3   udp  10001  nlockmgr
    100021    4   udp  10001  nlockmgr
    100021    1   tcp  10000  nlockmgr
    100021    3   tcp  10000  nlockmgr
    100021    4   tcp  10000  nlockmgr
    100024    1   udp  10002  status
    100024    1   tcp  10002  status
    100011    1   udp  10005  rquotad
    100011    2   udp  10005  rquotad
    100011    1   tcp  10005  rquotad
    100011    2   tcp  10005  rquotad
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    4   udp   2049  nfs
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100005    1   udp  10004  mountd
    100005    1   tcp  10004  mountd
    100005    2   udp  10004  mountd
    100005    2   tcp  10004  mountd
    100005    3   udp  10004  mountd
    100005    3   tcp  10004  mountd

At this point, the ports will remain the same when NFS is restarted. The following is a list of ports which need to be opened on the firewall:

    * 111: portmap (tcp/udp)
    * 2049: nfs (tcp/udp)
    * 10000: example lockd (tcp)
    * 10001: example lockd (udp)
    * 10002: example statd/status (tcp/udp)
    * 10003: example statd/status outgoing (tcp/udp)
    * 10004: example mountd (tcp/udp)
    * 10005: example rquotad (tcp/udp)

You can now open these ports on the firewall to allow remote clients to mount a share on the server. If you are using iptables, the following commands can be used to add inbound/outbound rules to allow access to these ports. Note that this is only an example, as your specific firewall rules may differ:

iptables -A INPUT -p tcp -m tcp --dport 111 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 111 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 2049 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 2049 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 10001 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 10002:10005 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 10002:10005 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
iptables -A OUTPUT -p tcp -m tcp --dport 111 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 111 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 2049 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 2049 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 10000 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 10001 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 10002:10005 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 10002:10005 -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable

Nice one Dan.

No need to wait to close the call, go right ahead.

Jools :-)
Hi Dan,

Thanks for the points but I thought the question was going to be closed.

If you didnt mean to accept as answer please feel free to contact the moderators (or whoever it is) and get the question closed and points refunded.

All the best.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now