Iptables rule settings on the NFS server

Source: Internet
Author: User
First, by default, the default firewall policy of centos/fedora is to discard all and allow to be specified. this default policy is in line with the requirements of production. Next, I will configure iptabels appropriately to allow external computers to access the nfs service. 1. set the shared editing/etc/exports file and determine the directory to be shared, and restrict access at the same time. first, by default, Centos/Fedora's firewall's default policy is to discard all, allow to specify, this default policy is in line with the production needs. Below I will configure iptabels reasonably to allow external designated computers to access the nfs service

1. set sharing

Edit the/etc/exports file, determine the directory to be shared, and specify the objects that can access resources.

/Home/loner/Public/SinaPXE 58.63.239.0/24 (ro, all_squash)

2. pay attention to the permissions of the shared directory, at least read.

3. fixed the port used by the nfs service,

Modify the/etc/sysconfig/nfs file and add:

MOUNTD_PORT = "4002"

STATD_PORT = "4003"

Lockd_tcpports = "4004"

LOCKD_UDPPORT = "4004"

4. configure the firewall

Modify the/etc/sysconfig/IptablesFile, add:

-A input-m state -- state NEW-m tcp-p tcp -- dport 2049-jACCEPT

-A input-m state -- state NEW-m tcp-p tcp -- dport 4002: 4004-jACCEPT

-A input-m state -- state NEW-m udp-p udp -- dport 4002: 4004-jACCEPT

-A input-m state -- state NEW-m tcp-p tcp -- dport 111-jACCEPT

-A input-m state -- state NEW-m udp-p udp -- dport 111-jACCEPT

5. restart the firewall and start the nfs service.

Service iptables restart

Service nfs start

6. check whether the port used for configuring nfs is consistent with our requirements:

$ Rpcinfo-p localhost

Program vers proto port service

100000 4 tcp 111 portmapper

100000 3 tcp 111 portmapper

100000 2 tcp 111 portmapper

100000 4 udp 111 portmapper

100000 3 udp 111 portmapper

100000 2 udp 111 portmapper

100024 1 udp 57549 status

100024 1 tcp 39161 status

100011 1 udp 875 rquotad

100011 2 udp 875 rquotad

100011 1 tcp 875 rquotad

100011 2 tcp 875 rquotad

100021 1 udp 4004 nlockmgr

100021 3 udp 4004 nlockmgr

100021 4 udp 4004 nlockmgr

100021 1 tcp 4004 nlockmgr

100021 3 tcp 4004 nlockmgr

100021 4 tcp 4004 nlockmgr

100003 2 tcp 2049 nfs

100003 3 tcp 2049 nfs

100003 4 tcp 2049 nfs

100227 2 tcp 2049 nfs_acl

100227 3 tcp 2049 nfs_acl

100003 2 udp 2049 nfs

100003 3 udp 2049 nfs

100003 4 udp 2049 nfs

100227 2 udp 2049 nfs_acl

100227 3 udp 2049 nfs_acl

100005 1 udp 4002 mountd

100005 1 tcp 4002 mountd

100005 2 udp 4002 mountd

100005 2 tcp 4002 mountd

100005 3 udp 4002 mountd

100005 3 tcp 4002 mountd

7. check whether our nfs shared directory and permissions are consistent with our requirements.

# Exportfs-v

/Home/loner/Public/SinaPXE

58.63.239.0/24 (ro, wdelay, root_squash, all_squash, no_subtree_check)

8. test our nfs service and firewall settings on other hosts.

List shared directories and access requirements of hosts

$ Showmount-e 192.168.1.10

Export list for 192.168.1.10:

/Home/loner/Public/SinaPXE 58.63.239.0/24

Hanging in the nfs shared directory to the local

# Mount 192.168.1.10:/home/loner/Public/SinaPXE/mnt

9. start mounting and automatic mounting

Boot mounting:

Add the corresponding statement to/etc/fstab;

Automatic mounting:

Edit/etc/auto. master and define the file in which nfs is automatically mounted,

As follows:

# Vim/etc/auto. master

/Nfs/etc/auto. nfs

# Vim/etc/auto. nfs

Pxe-ro, soft 192.168.1.10:/home/loner/Public/SinaPXE

Then restart the autofs service so that the Mount is completed as needed.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.