Re: recipe/example | nftables for Internet nfs4? << iif enp1s0 tcp dport 2049 counter accept comment "allow nfs"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 24/07/2024 5:17 pm, linux-nfs@xxxxxxxxxxx wrote:

On Tue 7/23/24 22:28 +0100 Calum Mackay wrote:

On 23/07/2024 8:53 pm, linux-nfs@xxxxxxxxxxx wrote:

I have a fedora server on Internet sharing out NFS; working ok for 3+years w/firewalld.  I'm going w/pure nftables on a new server. Does anyone have a recipe/example for setting up an NFS server using nftables?


I'm still stuck on iptables, but I imagine it ought to be something
simple like adding this to your NFSv4 server's inbound chain:

	tcp dport 2049 accept

assuming you have a default accept policy on your outbound chain.

That's just for NFSv4 over TCP, of course. And you might want to add ct
connection tracking state, etc.


Thank you Calum.

As you suggested, I added:

iif enp1s0 tcp dport 2049               counter accept comment "allow nfs"

I then tried mount -v ... and it got farther but failed

     mount.nfs4: mount(2): Permission denied

Then I restarted nftables.service, It worked!


That's great, Tom; thanks for letting me know, and for the detail below.
One point: you should be able to change the numeric port "2049" to the service "{nfs}", to make it more in line with your other services, if you prefer. 

best wishes,
calum.



--
thanks!
Tom

--8<---------------cut here---------------start------------->8---
# cat /etc/sysconfig/nftables.conf |_rmcm ## comments stripped. enp1s0 faces Internet
flush ruleset
table inet filter {
     chain input {
         type filter hook input priority 0;
         iif enp1s0 tcp dport {ssh}              counter accept comment "allow ssh"
         iif enp1s0 tcp dport {http, https}      counter accept comment "allow http, https"
         iif enp1s0 tcp dport 2049               counter accept comment "allow nfs"
         iif enp1s0 tcp dport {smtp}             counter accept comment "smtp"
         iif enp1s0 ct state {established, related} counter accept comment "allow established Internet packets"
         iif enp1s0 counter drop comment "dropped Internet packets"
         iif enp2s0 accept comment "allow local packets"
     }
     chain forward {
         type filter hook forward priority 0;
         iif enp1s0 oif enp2s0 ct state {established, related} counter accept comment "allow Internet est/relat"
         iif enp2s0 oif enp1s0 counter accept comment "allow lan to Internet"
         iif enp1s0 drop
     }
     chain output {
         type filter hook output priority 0;
     }
}
table nat {
     chain output {
         type nat hook output priority -100;
     }
     chain prerouting {
         type nat hook prerouting priority -100;
     }
     chain postrouting {
         type nat hook postrouting priority 100;
         ip saddr 10.164.123.0/24  oif enp1s0 counter snat MY_SERVERS_INTERNET_IP comment "snat/static ip"
     }
}



--
Calum Mackay
Linux Kernel Engineering
Oracle Linux and Virtualisation
[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux