I'm having trouble getting past iptables in a NFS setup. The NFS server iptable has the following rules:

-A INPUT -p tcp --dport 111 -j ACCEPT
-A INPUT -p udp --dport 111 -j ACCEPT
-A INPUT -p tcp --dport 2049 -j ACCEPT
-A INPUT -p udp --dport 2049 -j ACCEPT

My understanding is this should open the ports to my client machine, but it's not happening. If I comment out the last deny rule below I have no problem mounting from the client:

-A INPUT -j REJECT

With the above uncommented in the server iptable, I'm blocked. Obviously my 'accept' rules are incorrect. Any suggestions would be greatly appreciated.

Thanks,

Only a guess, but doesn't having the REJECT last override all the ACCEPT lines? (assumes you have it in this order)

REJECT first then ACCEPT and see if that works.

I checked the daemon log and it appears that when the client mount was working, the port that was used was essentially random. Reading elsewhere, this appears to be common with NFS and consequently a problem connecting through iptables. Even locking the port in the nfs-kernel-server configuration didn't help. So I changed the iptables port to a wide range and set the connection to just my client's private ip, and it works now.

Thanks.

Yes. This is the function of the RPC mechanism. Lock down the RPC server to just the source IPs that you need -- RPC is a favorite target.

I was able to get all of NFS's daemons to lodge to one port using configuration options in /etc/defaults (Ubuntu), but not for NFSv4 -- just NFSv3.

_________________
Disclaimer: I am no longer employed by Linode; opinions are my own alone.

Another option (if you're essentially locking things down to a specific client) is to set up a VPN, such as OpenVPN, from the client, and then let any VPN tunnel traffic through in general on the server side.

That way, you have a single client-side step of establishing the VPN, and after that you have full access to your server without requiring any further fiddling with any filters.

-- David