Linux NFS Installation: Difference between revisions
Jump to navigation
Jump to search
| Line 26: | Line 26: | ||
===iptables=== | ===iptables=== | ||
Add the following rules above the INPUT chain rule that rejects traffic: | |||
<pre> | <pre> | ||
-A INPUT -s 172.23.0.0/16 -p udp -m multiport --dports 10053,111,2049,32769,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT | |||
-A | -A INPUT -s 172.23.0.0/16 -p tcp -m multiport --dports 10053,111,2049,32803,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT | ||
</pre> | |||
-A | |||
where "172.23.0.0/16" should be replaced with the actual subnet value. | |||
The ports are as follows: | |||
* 111 tcp/udp | |||
* 875 tcp/udp rquotd | |||
* 892 tcp/udp mountd | |||
* 2049 tcp/udp | |||
-A | * 10053 tcp/udp statd | ||
* 10054 tcp/udp statd_outgoing | |||
* 32803 tcp lockd | |||
* 32769 udp lockd | |||
A more permissive rule allows everything that comes from the specified subnet. | |||
<pre> | |||
-A INPUT -s 172.23.0.0/16 -j ACCEPT | |||
</pre> | </pre> | ||
| Line 52: | Line 59: | ||
I ended up allowing everything from 192.168.0.0/255.255.0.0 for the duration of using the NFS. | I ended up allowing everything from 192.168.0.0/255.255.0.0 for the duration of using the NFS. | ||
===Amazon EC2=== | ===Amazon EC2=== | ||
Revision as of 00:21, 24 May 2017
External
Internal
Relevance
- Updated for Amazon EC2
Server Installation
Install Packages
sudo su - yum install rpcbind nfs-utils
On some system we also need to install "nfs-utils-lib".
Security Setup
iptables
Add the following rules above the INPUT chain rule that rejects traffic:
-A INPUT -s 172.23.0.0/16 -p udp -m multiport --dports 10053,111,2049,32769,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -s 172.23.0.0/16 -p tcp -m multiport --dports 10053,111,2049,32803,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT
where "172.23.0.0/16" should be replaced with the actual subnet value.
The ports are as follows:
- 111 tcp/udp
- 875 tcp/udp rquotd
- 892 tcp/udp mountd
- 2049 tcp/udp
- 10053 tcp/udp statd
- 10054 tcp/udp statd_outgoing
- 32803 tcp lockd
- 32769 udp lockd
A more permissive rule allows everything that comes from the specified subnet.
-A INPUT -s 172.23.0.0/16 -j ACCEPT
then
service iptables restart
I ended up allowing everything from 192.168.0.0/255.255.0.0 for the duration of using the NFS.
Amazon EC2
1. Create the directory:
mkdir /opt/shared
2. Give it the right permissions that make sense across your entire client set.
3. Share it /etc/exports.
Best if you specify only the subnet that must have access to it:
... /opt/shared 192.168.0.0/255.255.255.0(rw,sync,no_root_squash,no_subtree_check) ...
More details on export options can be found here:
Start NFS
RHEL 6
service rpcbind start service nfs start
RHEL 7
service nfs-server start
Start at Boot
init.d
Also add these to chkconfig if needed on reboot.:
chkconfig --add rpcbind chkconfig --add nfs chkconfig --level 2345 rpcbind on chkconfig --level 2345 nfs on
More details on chkconfig:
systemd
systemctl enable nfs-server.service systemctl list-unit-files | grep nfs-server
More details on systemd:
List Filesystems Exported by a NFS Server
Client Installation
Install Packages
sudo su - yum install nfs-utils
Security Setup
iptables
iptables should allow outgoing connections.
SELinux
Authentication against the NFS Server
For context, see:
Mount "on-the-fly"
Mount "on-the-fly" the directory from another machine:
mount [-v] -t nfs 192.168.0.145:/shared /mnt/tmp
Mount the directory at boot
In /etc/fstab add:
192.168.1.4:/volume3/test3 /rackstation/test3/ nfs nolock,_netdev,bg 0 0
After mount, the client will report the NFS version, as described below:
f01:/opt/shared on /opt/shared type nfs4 (rw,relatime,vers=4.0,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=172.31.21.22,local_lock=none,addr=172.31.20.184,_netdev)
More about fstab:
More details on mount options can be found here: