Howto configure iptables to work with NFS

Posted on 2008-09-30
Last Modified: 2013-12-06
I am using NFS to share directories with a few other servers on my LAN. I am unable to successfully share these directories unless I disable iptables. I have seen some documentation floating about regarding some steps that need to be taken in order to allow iptables to correctly allow portmapping and NFS to work as needed. However,  the documentation is not consistent with my environment. I do not have a /etc/sysconfig/nfs in order to define my nfs ports. RHES4 uses NFSv3. I am unaware if this OS will support v4. I understand v4 does not require portmapper service. Sounds like an improvement.

In any case, I could sure use some help as need to get this server locked down.
Question by:dan_venable
  • 5
  • 4
LVL 19

Expert Comment

ID: 22616527
If you have the standard iptables rules you can use system-config-securitylevel which may be the easiest option.


Author Comment

ID: 22617566
The system-config-securitylevel  utility only allows for the trusted services of HTTP, FTP, SSH, Telnet, and SMTP. I have the option to open other ports but that is the heart of my issue. What ports need to be opened in order to make NFS work with the firewall?

Author Comment

ID: 22653591
I allowed for ports UDP and TCP 2049 to be open. This worked for one of my two NFS client machines but not the other. NSF host is RHES4. NFS client RHES4 is working. NFS client RHWS4 is not working and message log states:
Oct  6 11:37:49 localhost automount[6246]: >> mount: mount to NFS server '' failed: System Error: No route to host.
Oct  6 11:37:49 localhost automount[6246]: mount(nfs): nfs: mount failure on /zodiac/z_data
Oct  6 11:37:49 localhost automount[6246]: failed to mount /zodiac/z_data

If I stop iptables service on host, then both clients can again connect. Any thoughts would be appreciated.
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

LVL 19

Expert Comment

ID: 22654288
Strange, mine has an option for NFS..

Anyway... The 2049 seems to be the right port, at least on my system.

I'm guessing this;
> Oct  6 11:37:49 localhost automount[6246]: >> mount: mount to NFS server '' failed: System Error: No route to host.

With the no route to host is more of a network routing issue, check your routing and connectivity then give it another go.

Author Comment

ID: 22654328
I cannot think it is a network issue on the client as much as it is a firewall issue on the NFS host. As soon as I disable the IPtables service on the NSF host, the problem client is then able to connect to the share without issue.

LVL 19

Expert Comment

ID: 22654344

Can you post the firewall rules and network config for the system having issues, we'll have a butchers.

Author Comment

ID: 22661756
Hi Jools,

Thanks for getting back to me but I am happy to say I have resolved the problem. I found the needed info in the below link. It describes, in great clarity, what must be done to get you nsf server and iptables to play nice.

Just in case this link goes away, the content of the link is pated below,

How can I configure a system as an NFS server which sits behind a firewall with NFS clients outside of the firewall?
by Bradford Hinson

NFS relies on portmap to assign the ports on which it will listen. One side effect of this is that the ports are randomly assigned, so each time NFS is restarted the ports will change. This can make it difficult to run an NFS server behind a firewall which only allows access to specific ports on the system.

The first step is to assign a permanent port number to each of the NFS services (rquotad, mountd, statd, and lockd). While they can use any unused ports greater than 1024, it is recommended that you first consult the file /etc/services to find a valid unused port range. The following examples use the range 10000-10005.

The majority of the ports are configured through the file /etc/sysconfig/nfs. You will need to create this file if it does not exist. It should look similar to the following example:

# NFS port numbers

The lockd service is configured differently from the others because it is compiled as a kernel module. To set the port which lockd uses, add a line similar to the following to the end of /etc/modprobe.conf:

options lockd nlm_tcpport=10000 nlm_udpport=10001

In order for the changes to take effect, the module must be reloaded if it is already in use. You can use the commands rmmod and modprobe to reload the lockd module; however if there are module dependencies currently in use, a system restart may be required.

After these configuration changes, you can view the port assignments with the rpcinfo -p <hostname> command:

   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100021    1   udp  10001  nlockmgr
    100021    3   udp  10001  nlockmgr
    100021    4   udp  10001  nlockmgr
    100021    1   tcp  10000  nlockmgr
    100021    3   tcp  10000  nlockmgr
    100021    4   tcp  10000  nlockmgr
    100024    1   udp  10002  status
    100024    1   tcp  10002  status
    100011    1   udp  10005  rquotad
    100011    2   udp  10005  rquotad
    100011    1   tcp  10005  rquotad
    100011    2   tcp  10005  rquotad
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    4   udp   2049  nfs
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100005    1   udp  10004  mountd
    100005    1   tcp  10004  mountd
    100005    2   udp  10004  mountd
    100005    2   tcp  10004  mountd
    100005    3   udp  10004  mountd
    100005    3   tcp  10004  mountd

At this point, the ports will remain the same when NFS is restarted. The following is a list of ports which need to be opened on the firewall:

    * 111: portmap (tcp/udp)
    * 2049: nfs (tcp/udp)
    * 10000: example lockd (tcp)
    * 10001: example lockd (udp)
    * 10002: example statd/status (tcp/udp)
    * 10003: example statd/status outgoing (tcp/udp)
    * 10004: example mountd (tcp/udp)
    * 10005: example rquotad (tcp/udp)

You can now open these ports on the firewall to allow remote clients to mount a share on the server. If you are using iptables, the following commands can be used to add inbound/outbound rules to allow access to these ports. Note that this is only an example, as your specific firewall rules may differ:

iptables -A INPUT -p tcp -m tcp --dport 111 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 111 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 2049 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 2049 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 10001 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 10002:10005 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 10002:10005 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
iptables -A OUTPUT -p tcp -m tcp --dport 111 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 111 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 2049 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 2049 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 10000 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 10001 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 10002:10005 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 10002:10005 -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable

LVL 19

Accepted Solution

jools earned 250 total points
ID: 22661884
Nice one Dan.

No need to wait to close the call, go right ahead.

Jools :-)
LVL 19

Expert Comment

ID: 22663713
Hi Dan,

Thanks for the points but I thought the question was going to be closed.

If you didnt mean to accept as answer please feel free to contact the moderators (or whoever it is) and get the question closed and points refunded.

All the best.


Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
iptables limit connection per ip correct way ? 2 146
server plus 2 97
Concurrent Sessions 6 38
Disk Quota Windows 2012 R2 5 58
You ever wonder how to backup Linux system files just like Windows System Restore?  Well you can use Timeshift in Linux to perform those similar action.  This tutorial will show you how to backup your system files and keep regular intervals. Note…
The purpose of this article is to demonstrate how we can upgrade Python from version 2.7.6 to Python 2.7.10 on the Linux Mint operating system. I am using an Oracle Virtual Box where I have installed Linux Mint operating system version 17.2. Once yo…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit If you want to manage em…

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question