> Home > News Index
NFS servers don't play nice with iptables when the daemons use random port numbers (which is the default in debian).
To force consistent port numbers upon NFS (when using nfs-kernel-server), set the following in /etc/default/nfs-kernel-server. This will force mountd to use port 4002 for both TCP and UDP.
RPCMOUNTDOPTS="--port 4002"
For lockd, add the following into /etc/modules (you need to build lockd as a module for this) ...
lockd nlm_udpport=33000 nlm_tcpport=42049
Next, you can force statd to use port 4000 and port 4001 by setting this in /etc/default/nfs-common:
STATDOPTS="--port 4000 --outgoing-port 4001"
Finally, add iptables rules:
iptables -F nfs_server iptables -A nfs_server -p TCP --dport 2049 -j ACCEPT # nfs iptables -A nfs_server -p TCP --dport 4000:4001 -j ACCEPT # statd iptables -A nfs_server -p TCP --dport 4002 -j ACCEPT # mountd iptables -A nfs_server -p UDP --destination-port 4002 -j ACCEPT # mountd iptables -A nfs_server -p UDP --destination-port 33000 -j ACCEPT # lockd iptables -A nfs_server -p TCP --dport 42049 -j ACCEPT # lockd
Be sure that only packets from client IP addresses are directed through the nfs_server table.