0

I'm trying to setup NFS sharing + iptables, so that I can actually access it. I'm failing to find any up-to-date/working documentation/articles. Can you explain or share link to proper documentation? I have no nfs/iptables knowledge, and every time I decide to get rid of iptables -F "solutions", I hit the documentation wall.

  1. I have no idea what version of nfs I have. Attempts to use "nfsstat –s" or "nfsstat –c" does not print anything relevant.

  2. But I assume that it will be version 4. I tried to follow(best article/documentation I find so far):

https://prefetch.net/blog/2010/11/02/firewalling-a-linux-nfs-server-with-iptables/

and settings of static ports in /etc/sysconfig/nfs is ignored, and several services/systemd units are missing.

Can you recommend some reading to setup nfs and iptables, which is readable, understandable and up-to-date? If iptables are obsolete and should be disabled in favor of another more up-to-date solution, please share how.

EDIT: in firewall-config the zone is public and nfs among trusted services, which "are accessible from all hosts and networks" (are not).

rpcinfo -p
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  58868  status
    100024    1   tcp  51719  status
    100005    1   udp  20048  mountd
    100005    1   tcp  20048  mountd
    100005    2   udp  20048  mountd
    100005    2   tcp  20048  mountd
    100005    3   udp  20048  mountd
    100005    3   tcp  20048  mountd
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100227    3   tcp   2049  nfs_acl
    100021    1   udp  54703  nlockmgr
    100021    3   udp  54703  nlockmgr
    100021    4   udp  54703  nlockmgr
    100021    1   tcp  35247  nlockmgr
    100021    3   tcp  35247  nlockmgr
    100021    4   tcp  35247  nlockmgr

I found somewhere:

firewall-cmd --permanent --add-port=2049/udp ; firewall-cmd --permanent --add-port=2049/tcp; firewall-cmd --permanent --add-port=111/udp; firewall-cmd --permanent --add-port=111/tcp

which could correlate with ports above, but no luck, does not work. TV cannot connect until I do iptables -F.

Improve this question

1 Answer 1

Reset to default
0

iptables -F flushes all rules which is similar to disabling the firewall.

I have never used commands to manage my iptable rules, I've always manually edited the config file '/etc/sysconfig/iptables'. I have also always removed firewalld and gone straight with iptables directly since firewalld is a front-end to manage iptables.

If you want some documentation specifically for firewalld, check out "https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-7" which should work the same for Fedora.

If it were me, I would do the following:

  1. Disable firewalld by running sudo systemctl disable firewalld*
  2. Install iptables service by running sudo dnf install iptables-services
  3. Enable iptables to start at boot sudo systemctl enable iptables
  4. Edit your iptables config file to look something like

/etc/sysconfig/iptables

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2049 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 111 -j ACCEPT
-A INPUT -p udp -m udp --dport 2049 -j ACCEPT
-A INPUT -p udp -m udp --dport 111 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

You could easily make a blanket rule to accept all traffic from your local network or from your TV with one of the following:

  • All network traffic: A INPUT -s 192.168.1.0/24 -j ACCEPT where 192.168.1.0 is your network and /24 is your subnet.
  • Just your TV: -A INPUT -s 192.168.1.22/32 -j ACCEPT where 192.168.1.22 is the IP address of your TV.

After that, just save the file and start the itpables service sudo systemctl start iptables

Improve this answer
6
  • Also, you can watch which iptables rules are hit by running the command watch 'iptables -nvL'
    – Jeff
    Commented Apr 9, 2019 at 16:48
  • actually I like (well if documentation is correct), that firewalld can update configuration without dropping existing connections. But what the hell, I want ANY solution, which works. Anyways, I understand what firewalld and iptables should endup calling the same service. Thus I don't get it, why it's allowed (is it?) in firewalld but not workign util flushing. And anyways #2, /etc/sysconfig/iptables is missing my fedora 26 (waiting for end of month to upgrade).
    – Martin Mucha
    Commented Apr 9, 2019 at 19:10
  • If the file is missing, go ahead and create it as root. You can install vim then sudo su - which will make you root then vim /etc/sysconfig/iptables the press 'a' to insert text and copy/paste my example above.
    – Jeff
    Commented Apr 9, 2019 at 19:20
  • Also, in regards to what you said about dropping connections. I run iptables manually (like my example above) on an Asterisk (voip) server. I never get any dropped calls or lost packets when I update or reload/restart the iptables service while there are active audio conversations taking place. The only time you get dropped connections is if your new config rule set blocks a connection.
    – Jeff
    Commented Apr 9, 2019 at 19:23
  • Thanks for info, I'll try to dig deeper into iptables manual. I found out, that regardless that firewalld is configured to pass 2049 and 111 through, and attempts to allow them again says it's already allowed, it's not getting through and just stopping firewalld 'fix' it. So I guess "well done firewalld, systemctl disable firewalld". Thanks for help, I'll proceed with your hints, but just stopping firewalld helped me already.
    – Martin Mucha
    Commented Apr 9, 2019 at 19:45

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .