IPtables rules are breaking NFS connection

TechBoyJK · May 21, 2015

The goal with this rule set is to allow (192.168.200.211) to mount an NFS share hosted on (192.168.200.251)

Requirements are that all traffic be blocked by default, and only needed ports be opened. Both input/output need to be restricted to required ports.

For good measure, I included the two SSH rules that I am using, which work.

Code:

#deny all
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP

#SSH

#allow ssh/22 in from 192.168.200.248/32 (dev02) on ens224
-A INPUT  -i ens224 -p tcp -s 192.168.200.248/32 --dport 22 -j ACCEPT

#allow ssh/22 out to 192.168.200.248/32 (dev02) on ens224 
-A OUTPUT -o ens224 -p tcp -d 192.168.200.248/32 --sport 22 -m state --state ESTABLISHED  -j ACCEPT

#NFS

#allow nfs/111 TCP in from 192.168.200.251/32 (backup01) on ens224
-A INPUT  -i ens224 -p tcp -s 192.168.200.251/32 --dport 111 -m state --state NEW,RELATED,ESTABLISHED -m tcp  -j ACCEPT

#allow nfs/111 TCP out to 192.168.200.251/32 (backup01) on ens224
-A OUTPUT -o ens224 -p tcp -d 192.168.200.251/32 --sport 111 -m state --state ESTABLISHED -j ACCEPT

#allow nfs/111 UDP in from 192.168.200.251/32 (backup01) on ens224
-A INPUT  -i ens224 -p udp -s 192.168.200.251/32 --dport 111 -m state --state NEW,RELATED,ESTABLISHED -m udp  -j ACCEPT

#allow nfs/111 UDP out to 192.168.200.251/32 (backup01) on ens224
-A OUTPUT -o ens224 -p udp -d 192.168.200.251/32 --sport 111 -m state --state ESTABLISHED -j ACCEPT


#allow nfs/2049 TCP in from 192.168.200.251/32 (backup01) on ens224

-A INPUT  -i ens224 -p tcp -s 192.168.200.251/32 --dport 2049 -m state --state NEW,RELATED,ESTABLISHED -m tcp  -j ACCEPT

#allow nfs/2049 TCP out to 192.168.200.251/32 (backup01) on ens224
-A OUTPUT -o ens224 -p tcp -d 192.168.200.251/32 --sport 2049 -m state --state ESTABLISHED -j ACCEPT

#allow nfs/2049 UDP in from 192.168.200.251/32 (backup01) on ens224
-A INPUT  -i ens224 -p udp -s 192.168.200.251/32 --dport 2049 -m state --state NEW,RELATED,ESTABLISHED -m udp -j ACCEPT

#allow nfs/2049 UDP out to 192.168.200.251/32 (backup01) on ens224
-A OUTPUT -o ens224 -p udp -d 192.168.200.251/32 --sport 2049 -m state --state ESTABLISHED -j ACCEPT


#allow nfs/10000:10006 TCP in from 192.168.200.251/32 (backup01) on ens224
-A INPUT  -i ens224 -p tcp -s 192.168.200.251/32 --dport 10000:10006 -m state --state NEW,RELATED,ESTABLISHED -m tcp  -j ACCEPT

#allow nfs/10000:10006 TCP out to 192.168.200.251/32 (backup01) on ens224
-A OUTPUT -o ens224 -p tcp -d 192.168.200.251/32 --sport 10000:10006 -m state --state ESTABLISHED -j ACCEPT

#allow nfs/10000:10006 UDP in from 192.168.200.251/32 (backup01) on ens224
-A INPUT  -i ens224 -p udp -s 192.168.200.251/32 --dport 10000:10006 -m state --state NEW,RELATED,ESTABLISHED -m udp -j ACCEPT

#allow nfs/10000:10006 UDP out to 192.168.200.251/32 (backup01) on ens224
-A OUTPUT -o ens224 -p udp -d 192.168.200.251/32 --sport 10000:10006 -m state --state ESTABLISHED -j ACCEPT

If I disable iptables, the NFS share mounts. Here's the NFS config on the (.251) machine

Code:

RQUOTAD_PORT=10000
LOCKD_TCPPORT=10001
LOCKD_UDPPORT=10002
MOUNTD_PORT=10003
STATD_PORT=10004
STATD_OUTGOING_PORT=10005
RDMA_PORT=10006

MrColin · May 25, 2015

I would try omitting the "-m state..." options

Also, to include multiple ports in a rule, you can do "-m multiport --dports port1[,port2,...][,port:range]"

Elixer · May 25, 2015

You can also add some TRACE and LOG rules to see what/why it is being dropped...

KillerBee · May 25, 2015

Are these rules for the "client" or the "server" firewall?

If for the client , for the outgoing NFS requests from the client
you need to check the available ports it can use when talking with the server

cat /proc/sys/sunrpc/min_resvport
cat /proc/sys/sunrpc/max_resvport

and add the range to your outgoing iptable rules

IPtables rules are breaking NFS connection

TechBoyJK

Lifer

MrColin

Platinum Member

Elixer

Lifer

KillerBee

Golden Member

TRENDING THREADS