Red Hat Enterprise Linux4 Firewall Configuration

Version: Red Hat Enterprise Linux4 symptom: NFS relies on portmap to allocate the port it listens. These ports are dynamically allocated, so each time NFS is restarted, the ports change. This makes it difficult to run an NFS server after only allowing access to the firewall on the specified port of the system. Solution: the first step is to assign a permanent port number to each NFS service (rquotad, mountd, statd, andlockd ). Because they can use any unused ports higher than 1024, we recommend that you first

Version: Red Hat Enterprise Linux 4

Symptom:

NFS relies on portmap to allocate the port it listens. These ports are dynamically allocated, so each time NFS is restarted, the ports change. This makes it difficult to run an NFS server after only allowing access to the firewall on the specified port of the system.

Solution:

The first step is to assign a permanent port number to each NFS service (rquotad, mountd, statd, and lockd ). Because they can use any unused ports higher than 1024, we recommend that you first check the/etc/services file to find a valid unused port range. The following example uses 10000-10005.

Most of these ports are configured in the/etc/sysconfig/nfs file. If it does not exist, create it. It looks like this:

# NFS port numbers STATD_PORT = 10002 STATD_OUTGOING_PORT = 10003 MOUNTD_PORT = 10004 RQUOTAD_PORT = 10005

The lockd service is configured differently from other services because it is a core module. To set the port used by lockd, add these options in the/etc/sysconfig/nfs file:

LOCKD_UDPPORT = 30001 LOCKD_TCPPORT = 30001

"30001" can be replaced with any available and available port.

After completing these configuration changes, you can run the rpcinfo-p command.

To view port distribution:

# Rpcinfo-p localhost program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100021 1 udp 10001 nlockmgr 100021 3 udp 10001 nlockmgr 100021 4 udp 10001 nlockmgr 100021 1 tcp 10000 nlockmgr 100021 3 tcp 10000 nlockmgr 100021 4 tcp 10000 nlockmgr 100024 1 udp 10002 status 100024 1 tcp 10002 status 100011 1 udp 10005 rquotad 100011 2 udp 10005 rquotad 100011 1 tcp 10005 rquotad 100011 2 tcp 10005 rquotad 100003 2 udp 2049 nfs 100003 3 udp 2049 nfs 100003 4 udp 2049 nfs 100003 2 tcp 2049 nfs 100003 3 tcp 2049 nfs 100003 4 tcp 2049 nfs 100005 1 udp 10004 mountd 100005 1 tcp 10004 mountd 100005 2 udp 10004 mountd 100005 2 tcp 10004 mountd 100005 3 udp 10004 mountd 100005 3 tcp 10004 mountd

In this way, the port is retained after NFS is restarted. The following is a list of ports to be opened on the firewall:

* 111: portmap (tcp/udp) * 2049: nfs (tcp/udp) * 10000: example lockd (tcp) * 10001: example lockd (udp) * 10002: example statd/status (tcp/udp) * 10003: example statd/status outgoing (tcp/udp) * 10004: example mountd (tcp/udp) * 10005: example rquotad (tcp/udp)

Now you can open these ports on the firewall to allow remote clients to mount shared output on the server. If you use iptables, you can use the following command to add input/output rules to allow access to these ports. Note that this is just an example. Your Firewall Rules may be different:

# Iptables-a input-p tcp-m tcp -- dport 111-j ACCEPT # iptables-a input-p udp-m udp -- dport 111-j ACCEPT # iptables-a input- p tcp-m tcp -- dport 2049-j ACCEPT # iptables-a input-p udp-m udp -- dport 2049-j ACCEPT # iptables-a input-p tcp-m tcp -- dport 10000-j ACCEPT # iptables-a input-p udp-m udp -- dport 10001-j ACCEPT # iptables-a input-p tcp-m tcp -- dport 1000210005-j ACCEPT # iptables-a input-p udp-m udp -- dport 10002:10005-j ACCEPT # iptables-a input-m state -- state RELATED, ESTABLISHED-j ACCEPT # iptables-a input-j REJECT -- reject-with icmp-port-unreachable # iptables-a output-p tcp-m tcp -- dport 111-j ACCEPT # iptables -a output-p udp-m udp -- dport 111-j ACCEPT # iptables-a output-p tcp-m tcp -- dport 2049-j ACCEPT # iptables-a output-p udp -m udp -- dport 2049-j ACCEPT # iptables-a output-p tcp-m tcp -- dport 10000-j ACCEPT # iptables-a output-p udp-m udp -- dport 10001 -j ACCEPT # iptables-a output-p tcp-m tcp -- dport 1000:10005-j ACCEPT # iptables-a output-p udp-m udp -- dport 1000:10005-j ACCEPT # iptables- a output-m state -- state RELATED, ESTABLISHED-j ACCEPT # iptables-a output-j REJECT -- reject-with icmp-port-unreachable

Note: udp is used by default for mounting requests without specifying the tcp option.