NFS Server if there is a firewall

server ip = 192.168.1.13

client ip 192.168.1.10

 

 

 

Installing NFS

  • First install the required pakages
[root@nfsserver ~]# yum install nfs-utils rpcbind

 

  • then create the share
[root@nfsserver ~]# mkdir /testshare 
[root@nfsserver ~]# cat > /testshare/test
this is test          then ctrl+d to exit
  • now open /etc/exports file and add the
[root@nfsserver ~]# vi /etc/exports
/testshare *(rw,sync,no_squash)

above /etc/share=name of the share

*=allowed network9in our case all        if you want only one ip then put ip adress instead of *   , or if you want to allow whole subnet then 192.168.1.0/24

(rw,sync,no_squash)=permission

 

 

  •  Once you have entered in the settings , run the following command to export them
[root@nfsserver ~]# exportfs -a

 

  • now go to /etc/sysconfig/nfs file and uncomment these below lines and change the ports to other high available ports
  • check ports with netstat command, in my case i checked 6000* meaning anything that has 6000 infront of it , nothing showed up
  • 60000 ports looks avaliable
  • so i change those ports from 60000-6003 for ease
[root@nfsserver ~]# netstat -tulpn | grep 6000*
[root@nfsserver ~]# vi /etc/sysconfig/nfs
LOCKD_TCPPORT=60000
LOCKD_UDPPORT=60001
MOUNTD_PORT=60002
STATD_PORT=60003
  • now we need to open TCP and UDP port 2049 for NFS
  • TCP and UDP port 111 (rpcbind/sunrpc)
  • TCP and UDP port specified with MOUNTD_PORT=60002
  • TCP and UDP port specified with STATD_PORT=60003
  • UDP port specified with LOCKED_TCPPORT=60000
  • UDP port specified with LOCKED_UDPPORT=60001
  • so go ahead and add highlighted line in /etc/sysconfig/iptables above REJECT line
  • the restart iptables
[root@nfsserver ~]# vi /etc/sysconfig/iptables
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 2049 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 111 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 60000:60003 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 60000:60003 -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

[root@nfsserver ~]# service iptables restart
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules:                         [  OK  ]
  • check iptables open ports with command
[root@nfsserver ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   40  2880 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2049
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:2049
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:111
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:111
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpts:60000:60003
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpts:60000:60003
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 22 packets, 2336 bytes)
 pkts bytes target     prot opt in     out     source               destination
  • start related services
  • make sure you start rpcbind service first then nfs service otherwise it might now work
[root@nfsserver ~]# /etc/init.d/rpcbind restart
Stopping rpcbind:                                          [  OK  ]
Starting rpcbind:                                          [  OK  ]

[root@nfsserver ~]# /etc/init.d/nfs restart
Shutting down NFS daemon:                                  [  OK  ]
Shutting down NFS mountd:                                  [  OK  ]
Shutting down NFS quotas:                                  [  OK  ]
Shutting down RPC idmapd:                                  [  OK  ]
Starting NFS services:                                     [  OK  ]
Starting NFS quotas:                                       [  OK  ]
Starting NFS mountd:                                       [  OK  ]
Starting NFS daemon:                                       [  OK  ]
Starting RPC idmapd:                                       [  OK  ]

[root@nfsserver ~]# /etc/init.d/nfslock restart
Stopping NFS locking:                                      [  OK  ]
Stopping NFS statd:                                        [  OK  ]
Starting NFS statd:                                        [  OK  ]
[root@nfsserver ~]#
  • make sure all three service will start at  boot
[root@nfsserver ~]# chkconfig rpcbind on
[root@nfsserver ~]# chkconfig nfs on
[root@nfsserver ~]# chkconfig nfslock on

 

  • then type in this command , and it should show the following
  • 192.168.1.13 is the ip address of nfs server (this server)
[root@nfsserver ~]# rpcinfo -p 192.168.1.13
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100011    1   udp    875  rquotad
    100011    2   udp    875  rquotad
    100011    1   tcp    875  rquotad
    100011    2   tcp    875  rquotad
    100005    1   udp  60002  mountd
    100005    1   tcp  60002  mountd
    100005    2   udp  60002  mountd
    100005    2   tcp  60002  mountd
    100005    3   udp  60002  mountd
    100005    3   tcp  60002  mountd
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100227    2   tcp   2049  nfs_acl
    100227    3   tcp   2049  nfs_acl
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    4   udp   2049  nfs
    100227    2   udp   2049  nfs_acl
    100227    3   udp   2049  nfs_acl
    100021    1   udp  60001  nlockmgr
    100021    3   udp  60001  nlockmgr
    100021    4   udp  60001  nlockmgr
    100021    1   tcp  60000  nlockmgr
    100021    3   tcp  60000  nlockmgr
    100021    4   tcp  60000  nlockmgr
    100024    1   udp  60003  status
    100024    1   tcp  60003  status
  • then type in showmount command with the servers own ip ,
  • in our case it is showing the /testshare
[root@nfsserver ~]# showmount -e 192.168.1.13
Export list for 192.168.1.13:
/testshare *

 

[ps: if you are restarting the iptables later on then restart rpcbind, nfs and nfslock again, to make sure everything is working fine and run rpcinfo and showmount command]

 

Client config

 

  • now go to client and install those services
[root@nfsserver ~]# yum install nfs-utils rpcbind
  • start services
[root@rhce2 ~]# /etc/init.d/rpcbind start
[root@rhce2 ~]# /etc/init.d/nfs start
[root@rhce2 ~]# /etc/init.d/nfslock start
  • make sure all three service will start at  boot
[root@nfsserver ~]# chkconfig rpcbind on
[root@nfsserver ~]# chkconfig nfs on
[root@nfsserver ~]# chkconfig nfslock on

 

  • now rpcinfo command to nfs server ip
[root@rhce2 ~]# rpcinfo -p 192.168.1.13
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100011    1   udp    875  rquotad
    100011    2   udp    875  rquotad
    100011    1   tcp    875  rquotad
    100011    2   tcp    875  rquotad
    100005    1   udp  60002  mountd
    100005    1   tcp  60002  mountd
    100005    2   udp  60002  mountd
    100005    2   tcp  60002  mountd
    100005    3   udp  60002  mountd
    100005    3   tcp  60002  mountd
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100227    2   tcp   2049  nfs_acl
    100227    3   tcp   2049  nfs_acl
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    4   udp   2049  nfs
    100227    2   udp   2049  nfs_acl
    100227    3   udp   2049  nfs_acl
    100021    1   udp  60001  nlockmgr
    100021    3   udp  60001  nlockmgr
    100021    4   udp  60001  nlockmgr
    100021    1   tcp  60000  nlockmgr
    100021    3   tcp  60000  nlockmgr
    100021    4   tcp  60000  nlockmgr
    100024    1   udp  60003  status
    100024    1   tcp  60003  status
  • try to see if you can see the nfsserver mount with showmount command
[root@rhce2 ~]# showmount -e 192.168.1.13
Export list for 192.168.1.13:
/testshare *
  • if rpcinfo and showmount command both showing results then everything is working fine

 

  • now mount the share { there are two ways one just temp and another permanent}
  • first we will see temp mount
  • create a directory where you want to mount the share , or you can mount it on /mnt directory which is already present
[root@rhce2 ~]# mkdir /mountnfsshare
root@rhce2 ~]#  mount -t nfs  192.168.1.13:/testshare /mountnfsshare or [root@rhce2 ~]#  mount.nfs4 192.168.1.13:/testshare /mountnfsshare   either will work

[root@rhce2 ~]# ls /mountnfsshare/
test
[root@rhce2 ~]# cat /mountnfsshare/test 
this is test

[we can see test file of nfs server so this means it is working]
  • now if you want to make it permanent and mount it when you boot then add one line in /etc/fstab
[root@rhce2 ~]# vi /etc/fstab

192.168.1.13:/testshare       /mountnfsshare        nfs defaults 0 0
  • if you want to mount the share after entry to fstab file not before then to mount yoou only have to type in one command
[root@rhce2 ~]#  mount -a
  • to see if it is mounted or not you can try anything from below
[root@rhce2 ~]# mount -s
[root@rhce2 ~]# cat /proc/mounts
[root@rhce2 ~]# df -h


and look for the share and mountpoint

[ps make sure the share has enough permission ]

 

linkto the video > click here

 

 

if the post is help full please the comments

Leave a Reply