Home ·  Knowledge Base ·  News ·  Contact  

 Knowledge Base


Web Servers

Mail Servers

FTP Servers

Firewall / Security

Intrusion Detection

FreeBSD General

Solaris General

Linux General







 Linux General

Go Back

Howto lock NFSv3 to static TCP ports  

If you use Gentoo then you know what I'm talking about when I say that managing NFS access through iptables has been a bit of a pain. It seems like I'd get my rules dialed in and then a new version would come out and suddenly I couldn't mount anymore. I kept "fixing" this problem in iptables but decided that was just me being lazy. So, here is a procedure for NFSv3 over TCP with iptables. I was going to re-write it to be a little prettier, but, with as busy as I am, if I wait for that, it will never get done.

1) emerge a more recent nfs-utils. Version 1.0.12-r1 didn't have mount.nfs built for some freaking reason. So, edit /etc/portage/package.keywords and add

=net-fs/nfs-utils-1.1.1 ~x86

1) Make sure the kernel is built for NFSv3 support. I'm holding off on v4 until it's no longer labelled EXPERIMENTAL

| | NFS file system support | |
| | [*] Provide NFSv3 client support | |
| | [ ] Provide client support for the NFSv3 ACL protocol extension | |
| | [ ] Provide NFSv4 client support (EXPERIMENTAL) | |
| | [ ] Allow direct I/O on NFS files | |
| | NFS server support | |
| | [*] Provide NFSv3 server support | |
| | [ ] Provide server support for the NFSv3 ACL protocol extension | |
| | [ ] Provide NFSv4 server support (EXPERIMENTAL) | |
| | [*] Provide NFS server over TCP support | |

Also make sure you have TCP support

2) Edit /etc/sysctl.conf

# You should compile nfsd into the kernel or add it
# to modules.autoload for this to work properly
# TCP Port for lock manager
fs.nfs.nlm_tcpport = 4001

NOTE: The UDP port config didn't work for me, but I'm fine with

Run ysctl -p /etc/sysctl.conf

3) Make sure that nfsd is in modules.autoload.d or built into the kernel

4) edit /etc/conf.d/nfs to bind the other ports. All I changed was the following:

OPTS_RPC_MOUNTD="-p 32767"
OPTS_RPC_STATD="-p 32765 -o 32766"

5) /etc/init.d/nfs restart

NOTE: If you have weirdness here. Make sure that
a) No rpc.* processes are still running from before
b) /var/lib/nfs/state is writeable by the nobody user

6) Now, we should be able to use iptables to lock NFS down to the following ports

tcp 111 - portmapper
tcp 2049 - nfs
tcp 4001 - nlockmgr
tcp 32765-32767 - status and mountd

Like so:

iptables -A INPUT -s $LAN -m state --state NEW -p tcp --dport 111 -j ACCEPT
iptables -A INPUT -s $LAN -m state --state NEW -p tcp --dport 2049 -j ACCEPT
iptables -A INPUT -s $LAN -m state --state NEW -p tcp --dport 4001 -j ACCEPT
iptables -A INPUT -s $LAN -m state --state NEW -p tcp --dport 32765:32767 -j ACCEPT


How's your network?, Inc. © 2001-2018