Using NFS with iptables

Having recently learned how to solve this problem myself, I thought I would share it. I recently switched from Ubuntu Desktop and Ubuntu Server to CentOS 5.5 on both my Linux machines, and I was having some trouble getting the NFS share to mount past the servers firewall. Turns out this is due to some extra configuring needed on the server side. This works on CentOS and should work on any other distribution based on Red Hat Enterprise Linux, as well as Red Hat itself and probably Fedora.

Some people recommend simply turning the firewall off on the server, but this is a bad idea and really not the proper way to go about it as far as I am concerned, especially if maintaining security is vital to the systems in question.

So, here is what you should do. You will need to be working with root access to do this.

First, you need to modify the /etc/sysconfig/nfs file so that the required services will use fixed ports rather than dynamically assigned ports, as dynamic ports cannot be protected by port filtering firewalls such as iptables. Assigning dynamic ports is the default behavior of the portmapper, so this must be changed. Add something similar to the numbers below to the end of the etc/sysconfig/nfs file. These numbers are taken from my own CentOS 5.5 nfs server, and work just fine.

LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
STATD_PORT=662

This establishes fixed ports for these services.

Now you will need to restart the portmap and nfs services with the following commands:

service portmap restart
service nfs restart



Add the following lines to the /etc/sysconfig/iptables file, ensuring that they appear before the final LOG and DROP lines for the RH-Firewall-1-INPUT chain. Also, replace the IP address portion of these statements with addresses that apply to your network.

-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 32803 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 32769 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 892 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 892 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 662 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 662 -j ACCEPT

If you look closely, you will see that what we are doing is configuring the iptables firewall to accept connections from the services previously configured.

Finally, restart the iptables service:

service iptables restart

Assuming your NFS shares are configured properly, you should now have access to them.