NFS quick howto for centos 5
To use nfs successfully, you have to configure the server and the client. In this example, the client is 192.168.0.3 and the server is 192.168.0.1. The folder to be shared is /home/sharing, and to be mounted to /mnt on the client
On the server
- Make directory that you want to use.
- # mkdir /home/sharing
- Edit /etc/exports, insert the client machine's ip
- # vi /etc/exports
- Add this line:
- /home/sharing 192.168.0.3/255.255.255.255(rw,sync)
- Save
- Edit /etc/hosts.allow
- # vi /etc/hosts.allow
- Add this line:
- portmap: 192.168.0.0/255.255.255.0
- Save
- Start nfs and portmap
- # /etc/init.d /nfs start
- # /etc/init.d/portmap start
On the client
- Start portmap
- # /etc/init.d/portmap start
- Mount the nfs folder
- # mount 192.168.0.1:/home/sharing /mnt
- Check /var/log/messages for any error that might occur
- # tailf /var/log/messages
- Use mount to check if the folder is mounted properly
- # mount
- This should be the output:
- 192.168.0.1:/home/sharing on /mnt type nfs (rw,addr=192.168.0.1)
- Edit /etc/fstab to mount the shared folder on boot
- # vi /etc/fstab
- Add this line
- 192.168.0.1:/mnt/sdb1/backup /mnt nfs rw,hard,intr 0 0
- Save
You can use 'man exports' to see the options available for /etc/exports
Linux Iptables Allow NFS Clients to Access the NFS Server
Configure NFS Services to Use Fixed Ports
However, NFS and portmap are pretty complex protocols. Firewalling should be done at each host and at the border firewalls to protect the NFS daemons from remote
access, since NFS servers should never be accessible from outside the organization. However, by default, the portmapper assigns each NFS service to a port dynamically at service startup time.
Dynamic ports cannot be protected by port filtering firewalls such as iptables. First, you need to configure NFS services to use fixed ports. Open /etc/sysconfig/nfs, enter:
# vi /etc/sysconfig/nfs
Modify config directive as follows to set TCP/UDP unused ports:
# TCP port rpc.lockd should listen on.
LOCKD_TCPPORT=lockd-port-number
# UDP port rpc.lockd should listen on.
LOCKD_UDPPORT=lockd-port-number
# Port rpc.mountd should listen on.
MOUNTD_PORT=mountd-port-number
# Port rquotad should listen on.
RQUOTAD_PORT=rquotad-port-number
# Port rpc.statd should listen on.
STATD_PORT=statd-port-number
# Outgoing port statd should used. The default is port is random
STATD_OUTGOING_PORT=statd-outgoing-port-numbe
Here is sample listing from one of my production NFS server:
LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
RQUOTAD_PORT=875
STATD_PORT=662
STATD_OUTGOING_PORT=2020
Save and close the files. Restart NFS and portmap services:
# service portmap restart
# service nfs restart
# service rpcsvcgssd restart
Update /etc/sysconfig/iptables files
Open /etc/sysconfig/iptables, enter:
# vi /etc/sysconfig/iptables
Add the following lines, ensuring that they appear before the final LOG and DROP lines for the RH-Firewall-1-INPUT chain:
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 32803 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 32769 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 892 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 892 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 875 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 875 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 662 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 662 -j ACCEP
Save and close the file. Replace 192.168.1.0/24 with your actual LAN subnet /mask combo. You need to use static port values defined by /etc/sysconfig/nfs config file. Restart iptables service:
# service iptables restart
I spent a good time with this very good article !!!
ReplyDelete