server$ # NFS uses reverse DNS lookups, so add
server$ # entries for server and client
server$ ifconfig; hostname
server$ vi /etc/hosts
server$ mkdir -m 1777 /tmp/wpshare
server$ vi /tmp/share/some-file
server$ cat <<! >>/etc/exports
# Share the man pages from cws.hcc-online.com with yborstudent:
/usr/share/man 10.0.0.0/8(async,ro) localhost(async,ro)
/tmp/wpshare 10.0.0.0/8(async,rw) localhost(async,rw)
!
server$ cat <<! >>/etc/hosts.allow
portmap: LOCAL, 127.0.0.1, 10.
lockd: LOCAL, 127.0.0.1, 10.
rquotad: LOCAL, 127.0.0.1, 10.
mountd: LOCAL, 127.0.0.1, 10.
statd: LOCAL, 127.0.0.1, 10.
!
server$ # set the ports to use, so we can open firewall holes
server$ # for them. Else portmap will assign random ports!
server$ # The ports used below are unassigned by the IANA.
server$ cat <<! >/etc/sysconfig/nfs
# LOCKD ports are passed as kernel module options via /proc!
LOCKD_TCPPORT=48620
LOCKD_UDPPORT=48620
MOUNTD_PORT=48621
STATD_PORT=48622
RQUOTAD=no
RQUOTAD_PORT=48623
!
server$ vi /etc/init.d/nfs # fix RQUOTA stuff
server$ iptables -I RH-Firewall-1-INPUT -m state --state NEW \
-m tcp -p tcp --dport 111 -j ACCEPT
server$ iptables -I RH-Firewall-1-INPUT -m state --state NEW \
-m tcp -p tcp --dport 2049 -j ACCEPT
server$ iptables -I RH-Firewall-1-INPUT -m state --state NEW \
-m tcp -p tcp --dport 48620 -j ACCEPT
server$ iptables -I RH-Firewall-1-INPUT -m state --state NEW \
-m tcp -p tcp --dport 48621 -j ACCEPT
server$ iptables -I RH-Firewall-1-INPUT -m state --state NEW \
-m tcp -p tcp --dport 48622 -j ACCEPT
server$ iptables -I RH-Firewall-1-INPUT -m state --state NEW \
-m tcp -p tcp --dport 48623 -j ACCEPT
server$ iptables -I RH-Firewall-1-INPUT -m state --state NEW \
-m udp -p udp --dport 111 -j ACCEPT
server$ iptables -I RH-Firewall-1-INPUT -m state --state NEW \
-m udp -p udp --dport 2049 -j ACCEPT
server$ iptables -I RH-Firewall-1-INPUT -m state --state NEW \
-m udp -p udp --dport 48620 -j ACCEPT
server$ iptables -I RH-Firewall-1-INPUT -m state --state NEW \
-m udp -p udp --dport 48621 -j ACCEPT
server$ iptables -I RH-Firewall-1-INPUT -m state --state NEW \
-m udp -p udp --dport 48622 -j ACCEPT
server$ iptables -I RH-Firewall-1-INPUT -m state --state NEW \
-m udp -p udp --dport 48623 -j ACCEPT
server$ /etc/init.d/portmap start
server$ /etc/init.d/nfslock start
server$ /etc/init.d/rstatd start
server$ /etc/init.d/nfs start
server$ /etc/init.d/netfs start
server$ exportfs -av # netfs is supposed to do this.
server$ # Note: after changes to /etc/exports run "exportfs -rv"
server$ tail -f /var/log/messages
server$ ssh client
client$ # NFS uses reverse DNS lookups, so add
client$ # entries for server and client
client$ ifconfig; hostname
client$ vi /etc/hosts
client$ rup server
client$ rpcinfo -p server
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100021 1 udp 35395 nlockmgr
100021 3 udp 35395 nlockmgr
100021 4 udp 35395 nlockmgr
100021 1 tcp 33641 nlockmgr
100021 3 tcp 33641 nlockmgr
100021 4 tcp 33641 nlockmgr
100011 1 udp 909 rquotad
100011 2 udp 909 rquotad
100011 1 tcp 912 rquotad
100011 2 tcp 912 rquotad
100005 1 udp 915 mountd
100005 1 tcp 918 mountd
100005 2 udp 915 mountd
100005 2 tcp 918 mountd
100005 3 udp 915 mountd
100005 3 tcp 918 mountd
100024 1 udp 35396 status
100024 1 tcp 33642 status
client$ rpcinfo -u server status 1
program 100024 version 1 ready and waiting
client$ mkdir /mnt/foo
client$ mount -t nfs -o ro server:/tmp/wpshare /mnt/foo
client$ ls -l /mnt/foo
client$ # ...
client$ umount /mnt/foo
Sample /etc/sysconfig/iptables firewall with NFS additions
cat iptables
# Firewall configuration written by redhat-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 995 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 993 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
# holes for Samba (plus TCP/901 for swat):
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
# holes for NFS:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 48620 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 48621 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 48622 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 48623 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 48620 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 48621 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 48622 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 48623 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
/etc/exports
#
/nfsshare 10.0.0.0/8(async,ro) localhost(async,rw)
/etc/sysconfig/nfs
LOCKD_TCPPORT=48620
LOCKD_UDPPORT=48620
MOUNTD_PORT=48621
STATD_PORT=48622
RQUOTAD=NO
RQUOTAD_PORT=48623
/etc/hosts.allow
portmap: LOCAL, 127.0.0.1, 10.
lockd: LOCAL, 127.0.0.1, 10.
rquotad: LOCAL, 127.0.0.1, 10.
mountd: LOCAL, 127.0.0.1, 10.
statd: LOCAL, 127.0.0.1, 10.
Diff (patch) for /etc/init.d/nfs, Fedora Core 2 version
diff -c nfs.ORIG nfs
*** nfs.ORIG Wed Apr 6 17:07:22 2005
--- nfs Wed Apr 6 17:07:22 2005
***************
*** 59,66 ****
fi
if [ -n "$RQUOTAD" -a "$RQUOTAD" != "no" ]; then
echo -n $"Starting NFS quotas: "
! daemon rpc.rquotad
echo
fi
echo -n $"Starting NFS daemon: "
--- 59,68 ----
fi
if [ -n "$RQUOTAD" -a "$RQUOTAD" != "no" ]; then
+ [ -n "$RQUOTAD_PORT" ] \
+ && RQUOTADOPTS="$RQUOTADOPTS -p $RQUOTAD_PORT"
echo -n $"Starting NFS quotas: "
! daemon rpc.rquotad $RQUOTADOPTS
echo
fi
echo -n $"Starting NFS daemon: "