NFS servers don't play nice with iptables when the daemons use random port numbers (which is the default in debian).

To force consistent port numbers upon NFS (when using nfs-kernel-server), set the following in /etc/default/nfs-kernel-server. This will force mountd to use port 4002 for both TCP and UDP.

RPCMOUNTDOPTS="--port 4002"

For lockd, add the following into /etc/modules (you need to build lockd as a module for this) ...

lockd    nlm_udpport=33000 nlm_tcpport=42049

Next, you can force statd to use port 4000 and port 4001 by setting this in /etc/default/nfs-common:

STATDOPTS="--port 4000 --outgoing-port 4001"

Finally, add iptables rules:

iptables -F nfs_server
iptables -A nfs_server -p TCP --dport 2049 -j ACCEPT # nfs
iptables -A nfs_server -p TCP --dport 4000:4001 -j ACCEPT # statd
iptables -A nfs_server -p TCP --dport 4002 -j ACCEPT # mountd
iptables -A nfs_server -p UDP --destination-port 4002 -j ACCEPT # mountd
iptables -A nfs_server -p UDP --destination-port 33000 -j ACCEPT # lockd
iptables -A nfs_server -p TCP --dport 42049 -j ACCEPT # lockd

Be sure that only packets from client IP addresses are directed through the nfs_server table.