Categories
Network

NFS and iptables

If you are using NFSv4 (which is likely) you only need to open one port in your firewall port 2049/TCP. The examples below are done on an OpenMediaVault/Debian server to allow NFS access but nothing else from network 192.168.64.144/28 and 192.168.64.192/26.

List iptables rules

Use this command to check your ruleset. The order of the rules are important, iptables reads the rules from top to bottom.
[code language=”bash”]
iptables -S
[/code]

Allow port 2049/TCP from network

[code language=”bash”]
iptables -A INPUT -s 192.168.64.144/28 -p tcp -m tcp –dport 2049 -j ACCEPT
iptables -A INPUT -s 192.168.64.192/26 -p tcp -m tcp –dport 2049 -j ACCEPT
[/code]

Block all other access from network

[code language=”bash”]
iptables -A INPUT -s 192.168.64.144/28 -j REJECT –reject-with icmp-port-unreachable
iptables -A INPUT -s 192.168.64.192/26 -j REJECT –reject-with icmp-port-unreachable
[/code]

Remove rule from iptables

If you done something wrong you can remove the rule by changing -A to -D, see below.
[code language=”bash”]
iptables -D INPUT -s 192.168.64.144/28 -j REJECT –reject-with icmp-port-unreachable
[/code]

Finished rulset

This is how the ruleset should look like, if there is no more rules then stated above. all networks except 192.168.64.144/28 and 192.168.64.144/28 have full access.
[code language=”bash”]
root@dalesjo-nas:/home# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -s 192.168.64.144/28 -p tcp -m tcp –dport 2049 -j ACCEPT
-A INPUT -s 192.168.64.192/26 -p tcp -m tcp –dport 2049 -j ACCEPT
-A INPUT -s 192.168.64.144/28 -j REJECT –reject-with icmp-port-unreachable
-A INPUT -s 192.168.64.192/26 -j REJECT –reject-with icmp-port-unreachable
[/code]

Save changes

Changes must be saved to survive a restart.
[code language=”bash”]
iptables-save
[/code]