IPtables rules are breaking NFS connection

Toggle sidebar Toggle sidebar
T

TechBoyJK

Lifer
Oct 17, 2002
16,699
60
91
The goal with this rule set is to allow (192.168.200.211) to mount an NFS share hosted on (192.168.200.251)

Requirements are that all traffic be blocked by default, and only needed ports be opened. Both input/output need to be restricted to required ports.

For good measure, I included the two SSH rules that I am using, which work.

Code: 
#deny all
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP

#SSH

#allow ssh/22 in from 192.168.200.248/32 (dev02) on ens224
-A INPUT  -i ens224 -p tcp -s 192.168.200.248/32 --dport 22 -j ACCEPT

#allow ssh/22 out to 192.168.200.248/32 (dev02) on ens224 
-A OUTPUT -o ens224 -p tcp -d 192.168.200.248/32 --sport 22 -m state --state ESTABLISHED  -j ACCEPT

#NFS

#allow nfs/111 TCP in from 192.168.200.251/32 (backup01) on ens224
-A INPUT  -i ens224 -p tcp -s 192.168.200.251/32 --dport 111 -m state --state NEW,RELATED,ESTABLISHED -m tcp  -j ACCEPT

#allow nfs/111 TCP out to 192.168.200.251/32 (backup01) on ens224
-A OUTPUT -o ens224 -p tcp -d 192.168.200.251/32 --sport 111 -m state --state ESTABLISHED -j ACCEPT

#allow nfs/111 UDP in from 192.168.200.251/32 (backup01) on ens224
-A INPUT  -i ens224 -p udp -s 192.168.200.251/32 --dport 111 -m state --state NEW,RELATED,ESTABLISHED -m udp  -j ACCEPT

#allow nfs/111 UDP out to 192.168.200.251/32 (backup01) on ens224
-A OUTPUT -o ens224 -p udp -d 192.168.200.251/32 --sport 111 -m state --state ESTABLISHED -j ACCEPT


#allow nfs/2049 TCP in from 192.168.200.251/32 (backup01) on ens224

-A INPUT  -i ens224 -p tcp -s 192.168.200.251/32 --dport 2049 -m state --state NEW,RELATED,ESTABLISHED -m tcp  -j ACCEPT

#allow nfs/2049 TCP out to 192.168.200.251/32 (backup01) on ens224
-A OUTPUT -o ens224 -p tcp -d 192.168.200.251/32 --sport 2049 -m state --state ESTABLISHED -j ACCEPT

#allow nfs/2049 UDP in from 192.168.200.251/32 (backup01) on ens224
-A INPUT  -i ens224 -p udp -s 192.168.200.251/32 --dport 2049 -m state --state NEW,RELATED,ESTABLISHED -m udp -j ACCEPT

#allow nfs/2049 UDP out to 192.168.200.251/32 (backup01) on ens224
-A OUTPUT -o ens224 -p udp -d 192.168.200.251/32 --sport 2049 -m state --state ESTABLISHED -j ACCEPT


#allow nfs/10000:10006 TCP in from 192.168.200.251/32 (backup01) on ens224
-A INPUT  -i ens224 -p tcp -s 192.168.200.251/32 --dport 10000:10006 -m state --state NEW,RELATED,ESTABLISHED -m tcp  -j ACCEPT

#allow nfs/10000:10006 TCP out to 192.168.200.251/32 (backup01) on ens224
-A OUTPUT -o ens224 -p tcp -d 192.168.200.251/32 --sport 10000:10006 -m state --state ESTABLISHED -j ACCEPT

#allow nfs/10000:10006 UDP in from 192.168.200.251/32 (backup01) on ens224
-A INPUT  -i ens224 -p udp -s 192.168.200.251/32 --dport 10000:10006 -m state --state NEW,RELATED,ESTABLISHED -m udp -j ACCEPT

#allow nfs/10000:10006 UDP out to 192.168.200.251/32 (backup01) on ens224
-A OUTPUT -o ens224 -p udp -d 192.168.200.251/32 --sport 10000:10006 -m state --state ESTABLISHED -j ACCEPT


If I disable iptables, the NFS share mounts. Here's the NFS config on the (.251) machine

Code: 
RQUOTAD_PORT=10000
LOCKD_TCPPORT=10001
LOCKD_UDPPORT=10002
MOUNTD_PORT=10003
STATD_PORT=10004
STATD_OUTGOING_PORT=10005
RDMA_PORT=10006
 
MrColin

MrColin

Platinum Member
May 21, 2003
2,403
3
81
I would try omitting the "-m state..." options

Also, to include multiple ports in a rule, you can do "-m multiport --dports port1[,port2,...][,port:range]"
 
Elixer

Elixer

Lifer
May 7, 2002
10,371
762
126
You can also add some TRACE and LOG rules to see what/why it is being dropped...
 
KillerBee

KillerBee

Golden Member
Jul 2, 2010
1,750
82
91
Are these rules for the "client" or the "server" firewall?

If for the client , for the outgoing NFS requests from the client
you need to check the available ports it can use when talking with the server

cat /proc/sys/sunrpc/min_resvport
cat /proc/sys/sunrpc/max_resvport

and add the range to your outgoing iptable rules
 
Last edited:
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom