Linux Iptables Allow NFS Clients to Access the NFS Server

by on March 5, 2009 · 20 comments· LAST UPDATED September 7, 2011

in , ,

The portmapper assigns each NFS service to a port dynamically at service startup time. How do I allow legitimate NFS clients to access the NFS server using RHEL / Fedora / CentOS Linux 5.x iptables firewall?

You need to open the following ports:
a] TCP/UDP 111 - RPC 4.0 portmapper

b] TCP/UDP 2049 - NFSD (nfs server)

c] Portmap static ports - Various TCP/UDP ports defined in /etc/sysconfig/nfs file.

Configure NFS Services to Use Fixed Ports

However, NFS and portmap are pretty complex protocols. Firewalling should be done at each host and at the border firewalls to protect the NFS daemons from remote
access, since NFS servers should never be accessible from outside the organization. However, by default, the portmapper assigns each NFS service to a port dynamically at service startup time.

Dynamic ports cannot be protected by port filtering firewalls such as iptables. First, you need to configure NFS services to use fixed ports. Open /etc/sysconfig/nfs, enter:
# vi /etc/sysconfig/nfs
Modify config directive as follows to set TCP/UDP unused ports:

# TCP port rpc.lockd should listen on.
LOCKD_TCPPORT=lockd-port-number
# UDP port rpc.lockd should listen on.
LOCKD_UDPPORT=lockd-port-number 
# Port rpc.mountd should listen on.
MOUNTD_PORT=mountd-port-number
# Port rquotad should listen on.
RQUOTAD_PORT=rquotad-port-number
# Port rpc.statd should listen on.
STATD_PORT=statd-port-number
# Outgoing port statd should used. The default is port is random
STATD_OUTGOING_PORT=statd-outgoing-port-numbe

Here is sample listing from one of my production NFS server:

LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
RQUOTAD_PORT=875
STATD_PORT=662
STATD_OUTGOING_PORT=2020

Save and close the files. Restart NFS and portmap services:
# service portmap restart
# service nfs restart
# service rpcsvcgssd restart

Update /etc/sysconfig/iptables files

Open /etc/sysconfig/iptables, enter:
# vi /etc/sysconfig/iptables
Add the following lines, ensuring that they appear before the final LOG and DROP lines for the RH-Firewall-1-INPUT chain:

-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24  -m state --state NEW -p tcp --dport 32803 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24  -m state --state NEW -p udp --dport 32769 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24  -m state --state NEW -p tcp --dport 892 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24  -m state --state NEW -p udp --dport 892 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24  -m state --state NEW -p tcp --dport 875 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24  -m state --state NEW -p udp --dport 875 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24  -m state --state NEW -p tcp --dport 662 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 662 -j ACCEP

Save and close the file. Replace 192.168.1.0/24 with your actual LAN subnet /mask combo. You need to use static port values defined by /etc/sysconfig/nfs config file. Restart iptables service:
# service iptables restart

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 20 comments… read them below or add one }

1 Christer Edwards March 5, 2009 at 4:22 am

I know the title specifies using IPtables to allow NFS connections, but I prefer a simpler method. I prefer to use the hosts.allow and hosts.deny files, as the configuration is *much* simpler.

Within the hosts.allow simply set:
portmap:192.168.1.0.

That’s all you need. Because portmap is the lead process, spawning and defining ports for the other services, if you simple limit access to portmap you’ve effectively set the same access restrictions.

Reply

2 nixCraft March 5, 2009 at 7:50 am

Christer.

host.allows simply protects only the portmap service itself. It is still possible for attackers to guess the port numbers of NFS services and attack those services directly, even if they are denied access to the portmapper. Combining both iptables and host.allows should provide the better security.

Appreciate your post!

Reply

3 Adam Goryachev March 13, 2009 at 4:06 pm

How do you restart nlockmgr before reloading the iptables firewall? Preferably without breaking the NFS clients that are active….

Regards,
Adam

Reply

4 cmg November 23, 2009 at 4:30 pm

Thanks very much for this, very useful!

Reply

5 cmg November 23, 2009 at 4:46 pm

btw (sorry to post twice in quick succession), I noticed that LOCKD_TCPPORT (32803) isn’t included in your IPTABLES rules.. it is necessary to uncomment this line in /etc/sysconfig/iptables?

Reply

6 nixCraft November 23, 2009 at 7:58 pm

@ cmg,

Sorry, it was a typo on my part, I’ve updated the faq.

HTH

Reply

7 Eric Pretorious December 11, 2009 at 8:28 am

BTW, Vivek:

Admin’s will also have to restart the nfslock service in order for rpc.statd and lockd to re-read their configurations.

# service portmap restart
# service nfs restart
# service nfslock restart

[root@vm2 ~]# for x in MOUNTD_ STATD_ LOCKD_ RQUOTAD_ ; do echo "Scripts that containt \"$x...\"" ; grep $x /etc/init.d/* | cut -d':' -f 1 | uniq ; echo ; done
Scripts that containt "MOUNTD_..."
/etc/init.d/nfs

Scripts that containt "STATD_..."
/etc/init.d/nfslock

Scripts that containt "LOCKD_..."
/etc/init.d/nfs
/etc/init.d/nfslock

Scripts that containt "RQUOTAD_..."
/etc/init.d/nfs

Reply

8 Eric Pretorious December 11, 2009 at 8:32 am

TCP Wrapper (a.k.a. , libwrap, hosts_access(), and/or hosts.allow & hosts.deny) can be used to restrict access to portmap and to nfs: From the Red Hat Enterprise Linux 5 mountd man page…

rpc.mountd(8) rpc.mountd(8)

NAME
rpc.mountd – NFS mount daemon

TCP_WRAPPERS SUPPORT
This rpc.mountd version is protected by the tcp_wrapper library. You have to give the clients access to rpc.mountd if they should be allowed to use it. To allow connects from clients of the .bar.com domain you could use the following line in /etc/hosts.allow:

mountd: .bar.com

You have to use the daemon name mountd for the daemon name (even if the binary has a different name).

…and according to The Linux NFS-HOWTO all five services can be protected using TCP Wrapper…

The first step in doing this is to add the followng entry to /etc/hosts.deny:

portmap:ALL

Starting with nfs-utils 0.2.0, you can be a bit more careful by controlling access to individual daemons. It’s a good precaution since an intruder will often be able to weasel around the portmapper. If you have a newer version of nfs-utils, add entries for each of the NFS daemons (see the next section to find out what these daemons are; for now just put entries for them in hosts.deny):

lockd:ALL
mountd:ALL
rquotad:ALL
statd:ALL

Reply

9 Roc White June 26, 2010 at 8:27 pm

It seemed the udp port 2049 should also be enabled for NFSD, right?

“-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state –state NEW -p udp –dport 2049 -j ACCEPT”

Reply

10 Han Coumans September 5, 2010 at 9:07 am

Roc,

In the case of having full control over your clients, who *should* connect over TCP your added firewall rule is not needed.
But, if you perform a remote install – of CentOS / RedHat 5.5 in my case – over NFS, it is absolutely needed.
Message on the client after a noticeable delay “That directory could not be mounted from the server.”

I personally believe it’s a bug caused by migration of scripts/config files from RH3 via RH4 to RH5 or maybe earlier already.

For me your post came too late, but nevertheless thanks and a confirm of its need in certain circumstances.

Gtz,
Han Coumans

Reply

11 Chris Nord August 7, 2012 at 9:09 am

Confirmed!

I wanted to boot knoppix via PXE. Knoppix is mounted via nfs and needed udp (this line in /etc/sysconfig/iptables) to work

Thanks!

Reply

12 Gareth Williams November 12, 2010 at 3:52 pm

Vivek,

I just used this fix on Centos 5.5 and it works fine. (I tried Christer Edwards simple solution first and that didn’t). So many thanks.

But – isn’t it horrible to have to do all this just to get NFS working? There is a graphical tool for NFS in Server Settings. I see now this allows fixed NFS ports to be set, if you knew this to be necessary. But I don’t think it fixes iptables. I did use system-config-securitylevel to add the ports – which worked. At the least, there should be a step by step guide on the Centos Wiki. If you don’t mind, I might have a go at that. Thanks again.

Reply

13 Jim Gish February 11, 2011 at 10:54 pm

Do you also need:

-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state –state NEW -p udp –dport 2049 -j ACCEPT

>

Reply

14 Neeraj March 4, 2011 at 8:15 pm

Excellent article

Reply

15 Arfat September 7, 2011 at 2:43 pm

Great Article Step by Step.

Reply

16 Bendanan September 19, 2011 at 1:38 am

Indeed very useful.
The only thing is really to *write* the /etc/sysconfig/nfs file with the lines /xxPORT=/ uncommented! even if the commented values matches the wanted ones …

Reply

17 Bertrand November 25, 2011 at 12:00 pm

On CentOS (and probably RedHat and Fedora), a “newbie” method is to use the graphical tool : “system-config-firewall”

Reply

18 Bertrand November 25, 2011 at 12:01 pm

OK my bad, should have tested before saying, it doesn’t work so well… :-D

Reply

19 Bertrand November 25, 2011 at 12:04 pm

It works ! (if you don’t forget to start services at boot… do not do system being tired…)

Reply

20 Adam September 12, 2012 at 4:45 pm

Hi,

I’m using CentOS 6.2 now, and everything worked, I did add the extra udp 2049 rule which was missed by the author.

But…

the term “RH-Firewall-1-INPUT” did not work, I got this error (line 13 was the first line from this FAQ)

iptables: Applying firewall rules: iptables-restore: line 13 failed

I changed it to “INPUT” and that fixed it.

now my /etc/sysconfig/iptables looks like this:
http://pastebin.com/FLRT8jQK

I guess this changed between centOS 5 and CentOS 6?

Reply

Leave a Comment

Tagged as: , , , , , , , , , , , , , , , , , , , ,

Previous Faq:

Next Faq: