NFS Setup Demonstration

server$ # NFS uses reverse DNS lookups, so add
server$ # entries for server and client
server$ ifconfig; hostname
server$ vi /etc/hosts

server$ mkdir -m 1777 /tmp/wpshare
server$ vi /tmp/share/some-file

server$ cat <<! >>/etc/exports
# Share the man pages from cws.hcc-online.com with yborstudent:
/usr/share/man 10.0.0.0/8(async,ro) localhost(async,ro)
/tmp/wpshare 10.0.0.0/8(async,rw) localhost(async,rw)
!

server$ cat <<! >>/etc/hosts.allow
portmap: LOCAL, 127.0.0.1, 10.
lockd: LOCAL, 127.0.0.1, 10.
rquotad: LOCAL, 127.0.0.1, 10.
mountd: LOCAL, 127.0.0.1, 10.
statd: LOCAL, 127.0.0.1, 10.
!

server$ # set the ports to use, so we can open firewall holes
server$ # for them.  Else portmap will assign random ports!
server$ # The ports used below are unassigned by the IANA.

server$ cat <<! >/etc/sysconfig/nfs
# LOCKD ports are passed as kernel module options via /proc!
LOCKD_TCPPORT=48620
LOCKD_UDPPORT=48620
MOUNTD_PORT=48621
STATD_PORT=48622
RQUOTAD=no
RQUOTAD_PORT=48623
!

server$ vi /etc/init.d/nfs  # fix RQUOTA stuff

server$ iptables -I RH-Firewall-1-INPUT -m state --state NEW \
   -m tcp -p tcp --dport 111 -j ACCEPT
server$ iptables -I RH-Firewall-1-INPUT -m state --state NEW \
   -m tcp -p tcp --dport 2049 -j ACCEPT
server$ iptables -I RH-Firewall-1-INPUT -m state --state NEW \
   -m tcp -p tcp --dport 48620 -j ACCEPT
server$ iptables -I RH-Firewall-1-INPUT -m state --state NEW \
   -m tcp -p tcp --dport 48621 -j ACCEPT
server$ iptables -I RH-Firewall-1-INPUT -m state --state NEW \
   -m tcp -p tcp --dport 48622 -j ACCEPT
server$ iptables -I RH-Firewall-1-INPUT -m state --state NEW \
   -m tcp -p tcp --dport 48623 -j ACCEPT
server$ iptables -I RH-Firewall-1-INPUT -m state --state NEW \
   -m udp -p udp --dport 111 -j ACCEPT
server$ iptables -I RH-Firewall-1-INPUT -m state --state NEW \
   -m udp -p udp --dport 2049 -j ACCEPT
server$ iptables -I RH-Firewall-1-INPUT -m state --state NEW \
   -m udp -p udp --dport 48620 -j ACCEPT
server$ iptables -I RH-Firewall-1-INPUT -m state --state NEW \
   -m udp -p udp --dport 48621 -j ACCEPT
server$ iptables -I RH-Firewall-1-INPUT -m state --state NEW \
   -m udp -p udp --dport 48622 -j ACCEPT
server$ iptables -I RH-Firewall-1-INPUT -m state --state NEW \
   -m udp -p udp --dport 48623 -j ACCEPT

server$ /etc/init.d/portmap start
server$ /etc/init.d/nfslock start
server$ /etc/init.d/rstatd start
server$ /etc/init.d/nfs start
server$ /etc/init.d/netfs start

server$ exportfs -av  # netfs is supposed to do this.
server$ # Note: after changes to /etc/exports run "exportfs -rv"

server$ tail -f /var/log/messages

server$ ssh client

client$ # NFS uses reverse DNS lookups, so add
client$ # entries for server and client
client$ ifconfig; hostname
client$ vi /etc/hosts

client$ rup server

client$ rpcinfo -p server
   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    4   udp   2049  nfs
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100021    1   udp  35395  nlockmgr
    100021    3   udp  35395  nlockmgr
    100021    4   udp  35395  nlockmgr
    100021    1   tcp  33641  nlockmgr
    100021    3   tcp  33641  nlockmgr
    100021    4   tcp  33641  nlockmgr
    100011    1   udp    909  rquotad
    100011    2   udp    909  rquotad
    100011    1   tcp    912  rquotad
    100011    2   tcp    912  rquotad
    100005    1   udp    915  mountd
    100005    1   tcp    918  mountd
    100005    2   udp    915  mountd
    100005    2   tcp    918  mountd
    100005    3   udp    915  mountd
    100005    3   tcp    918  mountd
    100024    1   udp  35396  status
    100024    1   tcp  33642  status

client$ rpcinfo -u server status 1
program 100024 version 1 ready and waiting

client$ mkdir /mnt/foo
client$ mount -t nfs -o ro server:/tmp/wpshare /mnt/foo
client$ ls -l /mnt/foo
client$ # ...
client$ umount /mnt/foo

Sample /etc/sysconfig/iptables firewall with NFS additions

cat iptables
# Firewall configuration written by redhat-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 995 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 993 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
# holes for Samba (plus TCP/901 for swat):
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
# holes for NFS:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 48620 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 48621 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 48622 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 48623 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 48620 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 48621 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 48622 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 48623 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

/etc/exports

#
/nfsshare 10.0.0.0/8(async,ro) localhost(async,rw)

/etc/sysconfig/nfs

LOCKD_TCPPORT=48620
LOCKD_UDPPORT=48620
MOUNTD_PORT=48621
STATD_PORT=48622
RQUOTAD=NO
RQUOTAD_PORT=48623

/etc/hosts.allow

portmap: LOCAL, 127.0.0.1, 10.
lockd: LOCAL, 127.0.0.1, 10.
rquotad: LOCAL, 127.0.0.1, 10.
mountd: LOCAL, 127.0.0.1, 10.
statd: LOCAL, 127.0.0.1, 10.

Diff (patch) for /etc/init.d/nfs, Fedora Core 2 version

diff -c nfs.ORIG nfs
*** nfs.ORIG    Wed Apr  6 17:07:22 2005
--- nfs Wed Apr  6 17:07:22 2005
***************
*** 59,66 ****
        fi

        if [ -n "$RQUOTAD" -a "$RQUOTAD" != "no" ]; then
            echo -n $"Starting NFS quotas: "
!           daemon rpc.rquotad
            echo
        fi
        echo -n $"Starting NFS daemon: "
--- 59,68 ----
        fi

        if [ -n "$RQUOTAD" -a "$RQUOTAD" != "no" ]; then
+           [ -n "$RQUOTAD_PORT" ] \
+           && RQUOTADOPTS="$RQUOTADOPTS -p $RQUOTAD_PORT"
            echo -n $"Starting NFS quotas: "
!           daemon rpc.rquotad $RQUOTADOPTS
            echo
        fi
        echo -n $"Starting NFS daemon: "