Iptables rule settings on the NFS server

First, by default, the default firewall policy of centos/fedora is to discard all and allow to be specified. this default policy is in line with the requirements of production. Next, I will configure iptabels appropriately to allow external computers to access the nfs service. 1. set the shared editing/etc/exports file and determine the directory to be shared, and restrict access at the same time. first, by default, Centos/Fedora's firewall's default policy is to discard all, allow to specify, this default policy is in line with the production needs. Below I will configure iptabels reasonably to allow external designated computers to access the nfs service

1. set sharing

Edit the/etc/exports file, determine the directory to be shared, and specify the objects that can access resources.

/Home/loner/Public/SinaPXE 58.63.239.0/24 (ro, all_squash)

2. pay attention to the permissions of the shared directory, at least read.

3. fixed the port used by the nfs service,

Modify the/etc/sysconfig/nfs file and add:

MOUNTD_PORT = "4002"

STATD_PORT = "4003"

Lockd_tcpports = "4004"

LOCKD_UDPPORT = "4004"

4. configure the firewall

Modify the/etc/sysconfig/IptablesFile, add:

-A input-m state -- state NEW-m tcp-p tcp -- dport 2049-jACCEPT

-A input-m state -- state NEW-m tcp-p tcp -- dport 4002: 4004-jACCEPT

-A input-m state -- state NEW-m udp-p udp -- dport 4002: 4004-jACCEPT

-A input-m state -- state NEW-m tcp-p tcp -- dport 111-jACCEPT

-A input-m state -- state NEW-m udp-p udp -- dport 111-jACCEPT

5. restart the firewall and start the nfs service.

Service iptables restart

Service nfs start

6. check whether the port used for configuring nfs is consistent with our requirements:

$ Rpcinfo-p localhost

Program vers proto port service

100000 4 tcp 111 portmapper

100000 3 tcp 111 portmapper

100000 2 tcp 111 portmapper

100000 4 udp 111 portmapper

100000 3 udp 111 portmapper

100000 2 udp 111 portmapper

100024 1 udp 57549 status

100024 1 tcp 39161 status

100011 1 udp 875 rquotad

100011 2 udp 875 rquotad

100011 1 tcp 875 rquotad

100011 2 tcp 875 rquotad

100021 1 udp 4004 nlockmgr

100021 3 udp 4004 nlockmgr

100021 4 udp 4004 nlockmgr

100021 1 tcp 4004 nlockmgr

100021 3 tcp 4004 nlockmgr

100021 4 tcp 4004 nlockmgr

100003 2 tcp 2049 nfs

100003 3 tcp 2049 nfs

100003 4 tcp 2049 nfs

100227 2 tcp 2049 nfs_acl

100227 3 tcp 2049 nfs_acl

100003 2 udp 2049 nfs

100003 3 udp 2049 nfs

100003 4 udp 2049 nfs

100227 2 udp 2049 nfs_acl

100227 3 udp 2049 nfs_acl

100005 1 udp 4002 mountd

100005 1 tcp 4002 mountd

100005 2 udp 4002 mountd

100005 2 tcp 4002 mountd

100005 3 udp 4002 mountd

100005 3 tcp 4002 mountd

7. check whether our nfs shared directory and permissions are consistent with our requirements.

# Exportfs-v

/Home/loner/Public/SinaPXE

58.63.239.0/24 (ro, wdelay, root_squash, all_squash, no_subtree_check)

8. test our nfs service and firewall settings on other hosts.

List shared directories and access requirements of hosts

$ Showmount-e 192.168.1.10

Export list for 192.168.1.10:

/Home/loner/Public/SinaPXE 58.63.239.0/24

Hanging in the nfs shared directory to the local

# Mount 192.168.1.10:/home/loner/Public/SinaPXE/mnt

9. start mounting and automatic mounting

Boot mounting:

Add the corresponding statement to/etc/fstab;

Automatic mounting:

Edit/etc/auto. master and define the file in which nfs is automatically mounted,

As follows:

# Vim/etc/auto. master

/Nfs/etc/auto. nfs

# Vim/etc/auto. nfs

Pxe-ro, soft 192.168.1.10:/home/loner/Public/SinaPXE

Then restart the autofs service so that the Mount is completed as needed.