Setting up a Linux NFS Server

Sei qui: Homepage INFN Bari> Servizio calcolo e reti> Documenti> Setting up an NFS server

Setting up a Linux NFS server

D.Diacono
last revised: 06-05-03

Disclaimer: The information contained herein is NOT official information of any kind and there are NO warranties to the accuracy of the data. Use at your own risk.

UPDATE!

In the Charles Curley's article NFS and Firewalls on Fedora Core you can find an update for the new fedora core distributions. (22-Dic-2006)

Introduction
Server Setup
Client Setup
NFS through IPTABLES Firewall Setup

Introduction

This note gives some hints and links to install an NFS server with a client on a LAN. It is a report of a specific experience, not a comprehensive how-to: you can find it at Linux NFS How-to. Note that we will use ip.pc.server and ip.pc.client as placeholders for the real IP address of NFS server and client, and daemon_name and packet_name as placeholders for the real names. Suggestions and corrections are welcome.

The software versions used for this report:

Server: RedHat 7.3 (nfs-utils 0.3.3-5 , portmap 4.0.41 , quota 3.03-1)
Clients: RedHat 7.2 (nfs-utils 0.3.1-13.7.2.1 , portmap 4.0-38, quota 3.01pre9-3) and RedHat 7.3

Server setup

If you want to export a brand new disk through nfs, you must find the corresponding device in the /dev directory. You can use the boot log messages in /var/log. We will assume that the new device is /dev/hdg.
Now you must create the new partition on your disk with the command:
```
fdisk /dev/hdg
```
Follow the instructions and create one big partition /dev/hdg1.
Format the new partition with the ext3 file system with the following command: mkfs -t ext3 -c /dev/hdg1
The "-c" options searchs for invalid disk sectors.
Create the new directory that you will export, say /nfsdir, change the permission to 777 and mount the partition on it:
mkdir /nfsdir chmod 777 /nfsdir mount -t ext3 /dev/hdg1 /nfsdir
Add the following line in the file /etc/fstab: /dev/hdg1 /nfsdir ext3 defaults 1 2
Now the new device will be mounted on boot on the selected directory.
Verify that the following packets are installed:
- nfs-utils
- portmap
- quota
with the command:
```
rpm -qa | grep packet_name
```
Edit the file /etc/exports adding the line:
```
/nfsdir		ip.pc.client1(rw) ip.pc.client2(rw)
```
Note that the list of authorized client provides a first security step: only the IP addresses listed here are allowed to access a share point. However this is not terribly secure: if someone is capable of spoofing or taking over a trusted address then they can access your mount point.
With the default options we don't trust any request made as root on the client: if a user with UID 0 on the client attempts to access the file system, the server substitutes the UID of the server's "nobody" account. The important implication is that all important binaries and files on the server should be owned by root.
Secure the daemons with TCP wrappers: in the file /etc/hosts.deny add a line like this: daemon_name: ALL
for each of the five daemons portmap, lockd, statd, mountd, rquotad. In the file /etc/hosts.allow the line should look like this: daemon_name: ip.pc.client1 , ip.pc.client2

Start the services: /etc/init.d/portmap start /etc/init.d/nfs start /etc/init.d/nfslock start
and add them to the start configuration with: chkconfig --level 35 portmap on chkconfig --level 35 nfs on chkconfig --level 35 nfslock on
If the services are not present in the level management add them with "--add" chkconfig option.

Verify that the daemons are running with rpcinfo -p
You should see something like this:

 programma vers proto   porta
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  32768  status
    100024    1   tcp  32768  status
    391002    2   tcp  32769  sgi_fam
    100011    1   udp    690  rquotad
    100011    2   udp    690  rquotad
    100011    1   tcp    693  rquotad
    100011    2   tcp    693  rquotad
    100005    1   udp  32769  mountd
    100005    1   tcp  32770  mountd
    100005    2   udp  32769  mountd
    100005    2   tcp  32770  mountd
    100005    3   udp  32769  mountd
    100005    3   tcp  32770  mountd
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100021    1   udp  32770  nlockmgr
    100021    3   udp  32770  nlockmgr
    100021    4   udp  32770  nlockmgr

Client Setup

Secure the daemons with TCP wrappers: in the file /etc/hosts.deny add a line like this: daemon_name: ALL
for each of the five daemons portmap, lockd, statd, mountd, rquotad. In the file /etc/hosts.allow the line should look like this: daemon_name: ip.pc.server

Verify that the services portmap and nfslock are running. The commands needed to verify, start and add this services to the running configuration are shown at the last two points of server setup. With the command rpcinfo -p
you should get something like this:

 programma vers proto   porta
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  32768  status
    100024    1   tcp  32768  status
    391002    2   tcp  32769  sgi_fam
    100021    1   udp  32811  nlockmgr
    100021    3   udp  32811  nlockmgr
    100021    4   udp  32811  nlockmgr

With the daemons portmap, lockd, statd running you should be able to mount the remote directory. Try it typing: mkdir /mntdir mount -t nfs ip.pc.server:/nfsdir /mntdir
If the mount command works add the mounting at the start-up editing the file /etc/fstab and adding the following line
```
ip.pc.server:/nfsdir 	/mntdir		nfs	bg,hard,intr,nosuid,rw	0 0 
```
The meanings of the options are:
- bg: If the first NFS mount attempt times out, retry the mount in the background.
- hard: The program accessing a file on a NFS mounted file system will hang when the server crashes.
- intr: If an NFS file operation has a major time-out and it is hard mounted, then allow signals to interrupt the file operation and cause it to return.
- nosuid: Do not allow set-user-identifier or set-group-identifier bits to take effect.

NFS through IPTABLES Firewall Setup

The step-by-step guide that follow is a summary of a very well done guide, that I suggest to read carefully, and it is referred to the server with RedHat 7.3. The same considerations apply to RedHat 8.0 and 9.0. To make it possible to configure a firewall that controls NFS, it is necessary to be able to "tie" down the ports used by these services to fixed values. In the following we suggest some fixed values, but of course you can use different numbers.

Portmapper (portmap): uses port 111 on both TCP and UDP protocols.
NFS daemon (rpc.nfsd): uses port 2049 on both TCP and UDP protocols.
Status (rpc.statd): normally uses a random port allocated by portmapper. It is possible to configure a fixed port number by supplying the "-p" command option when the program is launched. Edit the file /etc/init.d/nfslock, find the line "daemon rpc.statd" and add the option: daemon rpc.statd -p 4000
NFS lock manager (rpc.lockd): normally uses a random port allocated by portmapper. On systems where the lock manager is implemented as a loadable module (RedHat 7.3 and greater, Mandrake 8.2 and greater) the port number used is set at module load time, and so is configured by adding (or editing) a line in the /etc/modules.conf file, as follows: options lockd nlm_udpport=4001 nlm_tcpport=4001
mountd (rpc.mountd): normally uses a random port allocated by portmapper. It is possible to configure a fixed port number by supplying the “-p” command line option when the program is launched. This can be done by editing the file /etc/sysconfig/network and adding the following line: MOUNTD_PORT=4002
rquotad (rpc.quotad): if your system is not already running "quota" version 3.08 or later, download it from the linuxquota website. Remove the old version and install the new quota package: tar zxvf quota-3.08.tar.gz cd quota-tools ./configure make make install cp rpc.rquotad /usr/sbin/
Now edit the file /etc/rpc and check that the following line is present: rquotad 100011 rquotaprog quota rquota
It should be there, but if isnt, then add it yourself. Finally edit the file /etc/services and add the following lines: rquotad 4003/tcp rquotad 4003/tcp
Note that you can happily use NFS without quotas, and in such case you can skip this point.

Now you have blocked the NFS services' port, and then a simple IPTABLES firewall might look like this:

iptables -A INPUT -f -j ACCEPT -s ip.pc.client
iptables -A INPUT -s ip.pc.client -d 0/0 4000:4003 -p 6 -j ACCEPT
iptables -A INPUT -s ip.pc.client -d 0/0 4000:4003 -p 17 -j ACCEPT
iptables -A INPUT -s ip.pc.client -d 0/0 2049 -p 17 -j ACCEPT
iptables -A INPUT -s ip.pc.client -d 0/0 2049 -p 6 -j ACCEPT
iptables -A INPUT -s ip.pc.client -d 0/0 111 -p 6 -j ACCEPT
iptables -A INPUT -s ip.pc.client -d 0/0 111 -p 17 -j ACCEPT
iptables -A INPUT -s 0/0 -d 0/0 -p 6 -j DENY --syn --log-level 5
iptables -A INPUT -s 0/0 -d 0/0 -p 17 -j DENY --log-level 5

With IPCHAINS the equivalent commands are:

ipchains -A input -f -j ACCEPT -s ip.pc.client
ipchains -A input -s ip.pc.client -d 0/0 4000:4003 -p 6 -j ACCEPT
ipchains -A input -s ip.pc.client -d 0/0 4000:4003 -p 17 -j ACCEPT
ipchains -A input -s ip.pc.client -d 0/0 2049 -p 17 -j ACCEPT
ipchains -A input -s ip.pc.client -d 0/0 2049 -p 6 -j ACCEPT
ipchains -A input -s ip.pc.client -d 0/0 111 -p 6 -j ACCEPT
ipchains -A input -s ip.pc.client -d 0/0 111 -p 17 -j ACCEPT
ipchains -A input -s 0/0 -d 0/0 -p 6 -j DENY -y -l
ipchains -A input -s 0/0 -d 0/0 -p 17 -j DENY -l

It is worth mentioning that NFS is not an encrypted protocol, and anyone on the same physical network could sniff the traffic and reassemble the information being passed back and forth.

Ultimo aggiornamento: WebMaster, 9 Gennaio 2007

Commenti e suggerimenti | Limitazione di responsabilità