Re: nfs and iptables
On Sun, 18 May 2008, Owen Townend wrote:
On 18/05/2008, Daniel Dalton <firstname.lastname@example.org> wrote:
How can I allow nfs through my iptables firewall?
What ports does it use?
Are they static ports? And if not how can I make them static?
Thanks for any help.
`rpcinfo -p` will give you a list of ports in use for rpc.
nfsd defaults to 2049 (overridable with `-p <port>`),
Allowed in iptables
portmapper to 111 (static),
mountd and statd to portmap assigned ports (overridable with `-p
<port>` and `-o <port>`).
I believe they are also allowed, but it doesn't work.
It now actually guesses the path to the server eg: mount 192.168.2.10:/med
and then tab completion works, where as before that was not the case and
after pressing enter it sits there trying to mount before timing out.
Before it just couldn't find the server and didn't tab complete and just
exited mount straight away.
So there is certainly an improvement.
Do you know why its not mounting?
I have pasted below:
as well as my iptables rules:
# Number of servers to start up
# Runtime priority of server (see nice(1))
# Options for rpc.mountd.
# If you have a port-based firewall, you might want to set up
# a fixed port here using the --port option. For more information,
# see rpc.mountd(8) or http://wiki.debian.org/?SecuringNFS
RPCMOUNTDOPTS="-p 4002 -o 4003"
# Do you want to start the svcgssd daemon? It is only required for Kerberos
# exports. Valid alternatives are "yes" and "no"; the default is "no".
# Options for rpc.svcgssd.
# If you do not set values for the NEED_ options, they will be attempted
# autodetected; this should be sufficient for most people. Valid alternatives
# for the NEED_ options are "yes" and "no".
# Do you want to start the statd daemon? It is not needed for NFSv4.
# Options for rpc.statd.
# Should rpc.statd listen on a specific port? This is especially useful
# when you have a port-based firewall. To use a fixed port, set this
# this variable to a statd argument like: "--port 4000 --outgoing-port 4001".
# For more information, see rpc.statd(8) or http://wiki.debian.org/?SecuringNFS
STATDOPTS="-p 4000 -o 4001"
# Do you want to start the idmapd daemon? It is only needed for NFSv4.
# Do you want to start the gssd daemon? It is required for Kerberos mounts.
And finally the iptables rules:
iptables -A INPUT -p tcp --dport 2049 -j ACCEPT
iptables -A INPUT -p tcp --dport 4000 -j ACCEPT
iptables -A INPUT -p tcp --dport 4001 -j ACCEPT
iptables -A INPUT -p tcp --dport 4002 -j ACCEPT
iptables -A INPUT -p tcp --dport 4003 -j ACCEPT
iptables -A INPUT -p tcp --dport 111 -j ACCEPT
All these files and iptables rules are on the server.
So the client can see the nfs share (the dir I am sharing), but won't
mount it, it times out.
My firewall is blocking it since when I open it it will connect.
So why isn't it working?
What port should I open?
Thanks for all your help.