[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: nfs and iptables

On Sun, 18 May 2008, Owen Townend wrote:

On 18/05/2008, Daniel Dalton <daniel.dalton@iinet.net.au> wrote:

 How can I allow nfs through my iptables firewall?
 What ports does it use?
 Are they static ports? And if not how can I make them static?

 Thanks for any help.


 Daniel Dalton



 `rpcinfo -p` will give you a list of ports in use for rpc.


 nfsd defaults to 2049 (overridable with `-p <port>`),

Allowed in iptables

 portmapper to 111 (static),

Also allowed.

 mountd and statd to portmap assigned ports (overridable with `-p
<port>` and `-o <port>`).

I believe they are also allowed, but it doesn't work.
It now actually guesses the path to the server eg: mount and then tab completion works, where as before that was not the case and after pressing enter it sits there trying to mount before timing out. Before it just couldn't find the server and didn't tab complete and just exited mount straight away.
So there is certainly an improvement.
Do you know why its not mounting?
I have pasted below:
and /etc/default/nfs-kernel-server
as well as my iptables rules:


# Number of servers to start up

# Runtime priority of server (see nice(1))

# Options for rpc.mountd.
# If you have a port-based firewall, you might want to set up
# a fixed port here using the --port option. For more information, # see rpc.mountd(8) or http://wiki.debian.org/?SecuringNFS
RPCMOUNTDOPTS="-p 4002 -o 4003"

# Do you want to start the svcgssd daemon? It is only required for Kerberos
# exports. Valid alternatives are "yes" and "no"; the default is "no".

# Options for rpc.svcgssd.


# If you do not set values for the NEED_ options, they will be attempted
# autodetected; this should be sufficient for most people. Valid alternatives
# for the NEED_ options are "yes" and "no".

# Do you want to start the statd daemon? It is not needed for NFSv4.

# Options for rpc.statd.
#   Should rpc.statd listen on a specific port? This is especially useful
#   when you have a port-based firewall. To use a fixed port, set this
#   this variable to a statd argument like: "--port 4000 --outgoing-port 4001".
#   For more information, see rpc.statd(8) or http://wiki.debian.org/?SecuringNFS
STATDOPTS="-p 4000 -o 4001"

# Do you want to start the idmapd daemon? It is only needed for NFSv4.

# Do you want to start the gssd daemon? It is required for Kerberos mounts.

And finally the iptables rules:

   iptables -A INPUT -p tcp --dport 2049 -j ACCEPT
   iptables -A INPUT -p tcp --dport 4000 -j ACCEPT
   iptables -A INPUT -p tcp --dport 4001 -j ACCEPT
   iptables -A INPUT -p tcp --dport 4002 -j ACCEPT
   iptables -A INPUT -p tcp --dport 4003 -j ACCEPT
   iptables -A INPUT -p tcp --dport 111 -j ACCEPT

All these files and iptables rules are on the server.
So the client can see the nfs share (the dir I am sharing), but won't mount it, it times out.
My firewall is blocking it since when I open it it will connect.

So why isn't it working?
What port should I open?

Thanks for all your help.


Daniel Dalton


Reply to: