Re: recipe/example | nftables for Internet nfs4? << iif enp1s0 tcp dport 2049 counter accept comment "allow nfs"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue 7/23/24 22:28 +0100 Calum Mackay wrote:
>On 23/07/2024 8:53 pm, linux-nfs@xxxxxxxxxxx wrote:
>> I have a fedora server on Internet sharing out NFS; working ok for 3+years w/firewalld.  I'm going w/pure nftables on a new server. Does anyone have a recipe/example for setting up an NFS server using nftables?
>
>I'm still stuck on iptables, but I imagine it ought to be something 
>simple like adding this to your NFSv4 server's inbound chain:
>
>	tcp dport 2049 accept
>
>assuming you have a default accept policy on your outbound chain.
>
>That's just for NFSv4 over TCP, of course. And you might want to add ct 
>connection tracking state, etc.

Thank you Calum.

As you suggested, I added:

iif enp1s0 tcp dport 2049               counter accept comment "allow nfs"

I then tried mount -v ... and it got farther but failed

    mount.nfs4: mount(2): Permission denied

Then I restarted nftables.service, It worked!

--
thanks!
Tom

--8<---------------cut here---------------start------------->8--- 
# cat /etc/sysconfig/nftables.conf |_rmcm ## comments stripped. enp1s0 faces Internet
flush ruleset
table inet filter {
    chain input {
        type filter hook input priority 0;
        iif enp1s0 tcp dport {ssh}              counter accept comment "allow ssh"
        iif enp1s0 tcp dport {http, https}      counter accept comment "allow http, https"
        iif enp1s0 tcp dport 2049               counter accept comment "allow nfs"
        iif enp1s0 tcp dport {smtp}             counter accept comment "smtp"
        iif enp1s0 ct state {established, related} counter accept comment "allow established Internet packets"
        iif enp1s0 counter drop comment "dropped Internet packets"
        iif enp2s0 accept comment "allow local packets"
    }
    chain forward {
        type filter hook forward priority 0;
        iif enp1s0 oif enp2s0 ct state {established, related} counter accept comment "allow Internet est/relat"
        iif enp2s0 oif enp1s0 counter accept comment "allow lan to Internet"
        iif enp1s0 drop
    }
    chain output {
        type filter hook output priority 0;
    }
}
table nat {
    chain output {
        type nat hook output priority -100;
    }
    chain prerouting {
        type nat hook prerouting priority -100;
    }
    chain postrouting {
        type nat hook postrouting priority 100;
        ip saddr 10.164.123.0/24  oif enp1s0 counter snat MY_SERVERS_INTERNET_IP comment "snat/static ip"
    }
}
[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux