Howto configure iptables to work with NFS

Posted on 2008-09-30
Last Modified: 2013-12-06
I am using NFS to share directories with a few other servers on my LAN. I am unable to successfully share these directories unless I disable iptables. I have seen some documentation floating about regarding some steps that need to be taken in order to allow iptables to correctly allow portmapping and NFS to work as needed. However,  the documentation is not consistent with my environment. I do not have a /etc/sysconfig/nfs in order to define my nfs ports. RHES4 uses NFSv3. I am unaware if this OS will support v4. I understand v4 does not require portmapper service. Sounds like an improvement.

In any case, I could sure use some help as need to get this server locked down.
Question by:dan_venable
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
LVL 19

Expert Comment

ID: 22616527
If you have the standard iptables rules you can use system-config-securitylevel which may be the easiest option.


Author Comment

ID: 22617566
The system-config-securitylevel  utility only allows for the trusted services of HTTP, FTP, SSH, Telnet, and SMTP. I have the option to open other ports but that is the heart of my issue. What ports need to be opened in order to make NFS work with the firewall?

Author Comment

ID: 22653591
I allowed for ports UDP and TCP 2049 to be open. This worked for one of my two NFS client machines but not the other. NSF host is RHES4. NFS client RHES4 is working. NFS client RHWS4 is not working and message log states:
Oct  6 11:37:49 localhost automount[6246]: >> mount: mount to NFS server '' failed: System Error: No route to host.
Oct  6 11:37:49 localhost automount[6246]: mount(nfs): nfs: mount failure on /zodiac/z_data
Oct  6 11:37:49 localhost automount[6246]: failed to mount /zodiac/z_data

If I stop iptables service on host, then both clients can again connect. Any thoughts would be appreciated.
Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

LVL 19

Expert Comment

ID: 22654288
Strange, mine has an option for NFS..

Anyway... The 2049 seems to be the right port, at least on my system.

I'm guessing this;
> Oct  6 11:37:49 localhost automount[6246]: >> mount: mount to NFS server '' failed: System Error: No route to host.

With the no route to host is more of a network routing issue, check your routing and connectivity then give it another go.

Author Comment

ID: 22654328
I cannot think it is a network issue on the client as much as it is a firewall issue on the NFS host. As soon as I disable the IPtables service on the NSF host, the problem client is then able to connect to the share without issue.

LVL 19

Expert Comment

ID: 22654344

Can you post the firewall rules and network config for the system having issues, we'll have a butchers.

Author Comment

ID: 22661756
Hi Jools,

Thanks for getting back to me but I am happy to say I have resolved the problem. I found the needed info in the below link. It describes, in great clarity, what must be done to get you nsf server and iptables to play nice.

Just in case this link goes away, the content of the link is pated below,

How can I configure a system as an NFS server which sits behind a firewall with NFS clients outside of the firewall?
by Bradford Hinson

NFS relies on portmap to assign the ports on which it will listen. One side effect of this is that the ports are randomly assigned, so each time NFS is restarted the ports will change. This can make it difficult to run an NFS server behind a firewall which only allows access to specific ports on the system.

The first step is to assign a permanent port number to each of the NFS services (rquotad, mountd, statd, and lockd). While they can use any unused ports greater than 1024, it is recommended that you first consult the file /etc/services to find a valid unused port range. The following examples use the range 10000-10005.

The majority of the ports are configured through the file /etc/sysconfig/nfs. You will need to create this file if it does not exist. It should look similar to the following example:

# NFS port numbers

The lockd service is configured differently from the others because it is compiled as a kernel module. To set the port which lockd uses, add a line similar to the following to the end of /etc/modprobe.conf:

options lockd nlm_tcpport=10000 nlm_udpport=10001

In order for the changes to take effect, the module must be reloaded if it is already in use. You can use the commands rmmod and modprobe to reload the lockd module; however if there are module dependencies currently in use, a system restart may be required.

After these configuration changes, you can view the port assignments with the rpcinfo -p <hostname> command:

   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100021    1   udp  10001  nlockmgr
    100021    3   udp  10001  nlockmgr
    100021    4   udp  10001  nlockmgr
    100021    1   tcp  10000  nlockmgr
    100021    3   tcp  10000  nlockmgr
    100021    4   tcp  10000  nlockmgr
    100024    1   udp  10002  status
    100024    1   tcp  10002  status
    100011    1   udp  10005  rquotad
    100011    2   udp  10005  rquotad
    100011    1   tcp  10005  rquotad
    100011    2   tcp  10005  rquotad
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    4   udp   2049  nfs
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100005    1   udp  10004  mountd
    100005    1   tcp  10004  mountd
    100005    2   udp  10004  mountd
    100005    2   tcp  10004  mountd
    100005    3   udp  10004  mountd
    100005    3   tcp  10004  mountd

At this point, the ports will remain the same when NFS is restarted. The following is a list of ports which need to be opened on the firewall:

    * 111: portmap (tcp/udp)
    * 2049: nfs (tcp/udp)
    * 10000: example lockd (tcp)
    * 10001: example lockd (udp)
    * 10002: example statd/status (tcp/udp)
    * 10003: example statd/status outgoing (tcp/udp)
    * 10004: example mountd (tcp/udp)
    * 10005: example rquotad (tcp/udp)

You can now open these ports on the firewall to allow remote clients to mount a share on the server. If you are using iptables, the following commands can be used to add inbound/outbound rules to allow access to these ports. Note that this is only an example, as your specific firewall rules may differ:

iptables -A INPUT -p tcp -m tcp --dport 111 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 111 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 2049 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 2049 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 10001 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 10002:10005 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 10002:10005 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
iptables -A OUTPUT -p tcp -m tcp --dport 111 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 111 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 2049 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 2049 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 10000 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 10001 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 10002:10005 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 10002:10005 -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable

LVL 19

Accepted Solution

jools earned 250 total points
ID: 22661884
Nice one Dan.

No need to wait to close the call, go right ahead.

Jools :-)
LVL 19

Expert Comment

ID: 22663713
Hi Dan,

Thanks for the points but I thought the question was going to be closed.

If you didnt mean to accept as answer please feel free to contact the moderators (or whoever it is) and get the question closed and points refunded.

All the best.


Featured Post

Major Incident Management Communications

Major incidents and IT service outages cost companies millions. Often the solution to minimizing damage is automated communication. Find out more in our Major Incident Management Communications infographic.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction People like FTP.  It's a solid, stable, robust protocol for quickly transferring files between two hosts using TCP/IP.  In most cases it's much faster than SMB or CIFS, and certainly much easier to set up between organizations.  This…
Hello, As I have seen there a lot of requests regarding monitoring and reporting for exchange 2007 / 2010 / 2013 I have decided to post some thoughts together and link to articles that have helped me. Of course a lot of information you can get…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question