Ubuntu – NFS support in iptables (or other firewall)

debianfirewalliptablesnfsUbuntu

How do I enable NFS mounts/shares with iptables with DROP policy?

NFS uses dynamically assigned ports, thus it is difficult to use with firewalls.
I have an NFS server and a few clients.
I would like to accept traffic ONLY on ports that are required for NFS to work.
I have configured the NFS server to use static ports (4000-4004).

The problem, however, is that the clients still selects a random port — and because it is UDP I can only make it work if I accept all UDP traffic from the server.

I found some documentation that describes setting a /sys variable that would limit the client to use a static range of ports for NFS, however, I cannot seem to make it work.
The /sys variables mentioned are:

/sys/module/sunrpc/parameters/max_resvport 
/sys/module/sunrpc/parameters/min_resvport
/sys/module/lockd/parameters/nlm_tcpport
/sys/module/lockd/parameters/nlm_udpport
/sys/module/nfs/parameters/callback_tcpport

I have not been able to make this work. Maybe I am approaching this the wrong way? It seems unnecessarily complicated for what I thought would be a simple task.

I use NFS on Debian and Ubuntu.

Best Answer

The fact that the client port is ephemeral isn't a problem, though as you say the mutability of the server-side port is.

Assuming you have successfully instructed the server to use only ports 4000-4004 for nfsd, you have three issues: clients must be able to talk to the RPC portmapper, the mount daemon, and the NFS service, on the server.

For the NFS service

Assuming you're right about having modified the NFS service to listen on 4000-4004, clients should add

iptables -A INPUT  -d se.rv.er.ip -p udp --dport 4000:4004 -j ACCEPT
iptables -A OUTPUT -s se.rv.er.ip -p udp --sport 4000:4004 -j ACCEPT

while the server should add

iptables -A INPUT  -p udp --dport 4000:4004 -j ACCEPT
iptables -A OUTPUT -p udp --sport 4000:4004 -j ACCEPT

If you want to permit NFS over TCP, repeat those rules with -p tcp instead of -p udp.

For the portmapper

Clients should add

iptables -A INPUT  -d se.rv.er.ip -p udp --dport 111 -j ACCEPT
iptables -A OUTPUT -s se.rv.er.ip -p udp --sport 111 -j ACCEPT

while the server should add

iptables -A INPUT  -p udp --dport 111 -j ACCEPT
iptables -A OUTPUT -p udp --sport 111 -j ACCEPT

You may need to add pairs of rules for -p tcp as well, as the portmapper usually supports TCP as well. Check your rejection logs to see what's being DROPped and adjust accordingly.

For the mount daemon

You need to find out what port it's running on on the server, with server% rpcinfo -p | grep mount; on my server it's UDP/32775 and TCP/32769. To allow those, clients should add

iptables -A INPUT  -d se.rv.er.ip -p udp --dport 32775 -j ACCEPT
iptables -A OUTPUT -s se.rv.er.ip -p udp --sport 32775 -j ACCEPT

while the server should add

iptables -A INPUT  -p udp --dport 32775 -j ACCEPT
iptables -A OUTPUT -p udp --sport 32775 -j ACCEPT

and two similar pairs with -p tcp --[ds]port 32769.

It is your responsibility to get those lines in the right place in your INPUT and OUTPUT chains; near the beginning is probably a good idea.

Edit: in the light of your answer below, I have updated the rules above.

Related Solutions

Linux – Problem with NFS server lockd timing out on Debian linux

I found the answer to this here: http://sophiedogg.com/?p=141

/var/lib/nfs/statd/sm - directory containing statd monitor list
/var/lib/nfs/statd/sm.bak - directory containing statd notify list

Before removing these files, you should stop the rpcbind, statd, and lockd services. Below is a list of commands to run to fix this issue on a RPM based distro.

service rpcbind stop
service nfslock stop
rm -rf /var/lib/nfs/statd/sm/*
rm -rf /var/lib/nfs/statd/sm.bak/*
service rpcbind start
service nfslock start

After running these commands, it may be best to restart your NFS server.

In Debian and derivatives, the commands would be:

service nfs-kernel-server stop
service rpcbind stop
service nfs-common stop
service rpcbind start
service nfs-common start
service nfs-kernel-server start

I also did service nfs-common restart on the client just to be sure.

Nfs – High Availability NFS Server (Heartbeat/DRBD) long hang on clients when takeover occurs

If you're running Ubuntu with GUI user logins such as LTSP, it's very possible that the clients are the problem.

The Gnome-Settings-Daemon has a nasty habit of digging around inside the NFS mounts to check the state of any trash folders it finds. This problem exists in Ubuntu 9.10 and likely also in 10.04.

This is hard-coded in the Ubuntu distribution and was erroneously dropped in the 9.x releases. It is reported to be fixed in later Ubuntu releases and a common symptom is high load average while the NFS mounts are unreachable.

Best Answer

For the NFS service

For the portmapper

For the mount daemon

Related Solutions

Linux – Problem with NFS server lockd timing out on Debian linux

Nfs – High Availability NFS Server (Heartbeat/DRBD) long hang on clients when takeover occurs

Related Topic