wiki.titan2x.com

by Janos Gyerik

NFS server-client setup

From wiki.titan2x.com


Contents

Server side 

sudo apt-get install nfs-kernel-server
  • Note: The most important dependency here is portmap.

Edit /etc/exports: 

# /etc/exports: the access control list for filesystems which may be exported
#               to NFS clients.  See exports(5).
#
# Example: for NFSv2 and NFSv3:
# /srv/homes       hostname1(rw,sync) hostname2(ro,sync)
#
# Example for NFSv4:
# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt)
# /srv/nfs4/homes  gss/krb5i(rw,sync)
#
/srv/home        192.168.2.0/24(rw,sync,no_subtree_check)

Activate changes: 

sudo exportfs -a

Firewalls

This subsection is based largely on the Debian Wiki - SecuringNFS article.

When you set up a tight firewally, you go with the "deny all, allow some" paradigm. The SunRPC system was designed around the "trust the remote system" and the "make it simple for the admin, use dynamic ports" paradigm. Fortunatly, the services you use with NFS have port options to work better with your firewall.

Perform the following changes: 

# /etc/default/nfs-common
STATDOPTS="--port 32765 --outgoing-port 32766"

# /etc/default/nfs-kernel-server
RPCMOUNTDOPTS="-p 32767"

# /etc/services
# NFS ports as per the NFS-HOWTO
# http://www.tldp.org/HOWTO/NFS-HOWTO/security.html#FIREWALLS
# Listing here does not mean they will bind to these ports. 
rpc.nfsd        2049/tcp                        # RPC nfsd
rpc.nfsd        2049/udp                        # RPC nfsd
rpc.statd-bc    32765/tcp                       # RPC statd broadcast
rpc.statd-bc    32765/udp                       # RPC statd broadcast
rpc.statd       32766/tcp                       # RPC statd listen
rpc.statd       32766/udp                       # RPC statd listen
rpc.mountd      32767/tcp                       # RPC mountd
rpc.mountd      32767/udp                       # RPC mountd
rcp.lockd       32768/tcp                       # RPC lockd/nlockmgr
rcp.lockd       32768/udp                       # RPC lockd/nlockmgr
rpc.quotad      32769/tcp                       # RPC quotad
rpc.quotad      32769/udp                       # RPC quotad

# /etc/modprobe.d/options.local
options lockd nlm_udpport=32768 nlm_tcpport=32768

In addition to the above, you will also need to open up port 111 for portmap. For example, this is how you would configure all this in shorewall/ 

# /etc/shorewall/rules
ACCEPT          net:192.168.224.0/24            $FW             tcp 111,2049,32765:32769
ACCEPT          net:192.168.224.0/24            $FW             udp 111,2049,32765:32769

After the above changes, it is probably best to restart all the related services: 

sudo /etc/init.d/nfs-kernel-server restart
sudo /etc/init.d/portmap restart
sudo /etc/init.d/shorewall restart

Client side 

sudo apt-get install nfs-common
  • Note: The most important dependency here is portmap.

Edit /etc/fstab: 

vm-ldap:/srv/home /srv/home nfs intr,wsize=8192,rsize=8192 0 0

Try mounting the partition with: 

mount -a

OR 

mount /srv/home

OR even 

mount -t nfs vm-ldap:/srv/home /srv/home

Troubleshooting

  • Mount/umount request logs go to /var/log/daemon.log
  • Firewall logs go to /var/log/messages
  • Make sure portmap runs on both server and client, test with rpcinfo -p
  • Make sure server exports the directories by re-running exportfs -a
Retrieved from "http://wiki.titan2x.com/index.php?title=NFS_server-client_setup"
Best categories
Users