Setting up a Linux NFS server
NFS through IPTABLES Firewall Setup
Introduction
This note gives some hints and links to install an NFS server with a client on a LAN. It is a report of a specific experience, not a comprehensive how-to: you can find it at Linux NFS How-to. Note that we will use ip.pc.server and ip.pc.client as placeholders for the real IP address of NFS server and client, and daemon_name and packet_name as placeholders for the real names. Suggestions and corrections are welcome.
The software versions used for this report:
Server: RedHat 7.3 (nfs-utils 0.3.3-5 , portmap 4.0.41 , quota 3.03-1)
Clients: RedHat 7.2 (nfs-utils 0.3.1-13.7.2.1 , portmap 4.0-38, quota 3.01pre9-3) and RedHat 7.3
1.) If you want to export a brand new disk through nfs, you must find the corresponding device in the /dev directory. You can use the boot log messages in /var/log. We will assume that the new device is /dev/hdg.
2.)Now you must create the new partition on your disk with the command:
fdisk /dev/hdg
Follow the instructions and create one big partition /dev/hdg1.
3.) Format the new partition with the ext3 file system with the following command: mkfs -t ext3 -c /dev/hdg1
The "-c" options searchs for invalid disk sectors.
4.) Create the new directory that you will export, say /nfsdir, change the permission to 777 and mount the partition on it:
mkdir /nfsdir
chmod 777 /nfsdir
mount -t ext3 /dev/hdg1 /nfsdir
5.) Add the following line in the file /etc/fstab:
/dev/hdg1 /nfsdir ext3 defaults 1 2
Now the new device will be mounted on boot on the selected directory.
6.) Verify that the following packets are installed:
nfs-utils
portmap
quota
with the command:
rpm -qa grep packet_name
7.) Edit the file /etc/exports adding the line:
/nfsdir ip.pc.client1(rw) ip.pc.client2(rw)
Note that the list of authorized client provides a first security step: only the IP addresses listed here are allowed to access a share point. However this is not terribly secure: if someone is capable of spoofing or taking over a trusted address then they can access your mount point. With the default options we don't trust any request made as root on the client: if a user with UID 0 on the client attempts to access the file system, the server substitutes the UID of the server's "nobody" account. The important implication is that all important binaries and files on the server should be owned by root.
8.) Secure the daemons with TCP wrappers: in the file /etc/hosts.deny add a line like this: daemon_name: ALL
for each of the five daemons portmap, lockd, statd, mountd, rquotad. In the file /etc/hosts.allow the line should look like this:
daemon_name: ip.pc.client1 , ip.pc.client2
Start the services:
/etc/init.d/portmap start
/etc/init.d/nfs start
/etc/init.d/nfslock start
and add them to the start configuration with:
chkconfig --level 35 portmap on
chkconfig --level 35 nfs on
chkconfig --level 35 nfslock on
If the services are not present in the level management add them with "--add" chkconfig option.
10.) Verify that the daemons are running with
rpcinfo -p
You should see something like this:
programma vers proto porta
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 32768 status
100024 1 tcp 32768 status
391002 2 tcp 32769 sgi_fam
100011 1 udp 690 rquotad
100011 2 udp 690 rquotad
100011 1 tcp 693 rquotad
100011 2 tcp 693 rquotad
100005 1 udp 32769 mountd
100005 1 tcp 32770 mountd
100005 2 udp 32769 mountd
100005 2 tcp 32770 mountd
100005 3 udp 32769 mountd
100005 3 tcp 32770 mountd
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs 1
00021 1 udp 32770 nlockmgr
100021 3 udp 32770 nlockmgr
100021 4 udp 32770 nlockmgr
Client Setup
1.) Secure the daemons with TCP wrappers: in the file /etc/hosts.deny add a line like this: daemon_name: ALL
for each of the five daemons portmap, lockd, statd, mountd, rquotad. In the file /etc/hosts.allow the line should look like this:
daemon_name: ip.pc.server
2.) Verify that the services portmap and nfslock are running. The commands needed to verify, start and add this services to the running configuration are shown at the last two points of server setup. With the command
rpcinfo -p
you should get something like this:
programma vers proto porta
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 32768 status
100024 1 tcp 32768 status
391002 2 tcp 32769 sgi_fam
100021 1 udp 32811 nlockmgr
100021 3 udp 32811 nlockmgr
100021 4 udp 32811 nlockmgr
3.) With the daemons portmap, lockd, statd running you should be able to mount the remote directory. Try it typing:
mkdir /mntdir
mount -t nfs ip.pc.server:/nfsdir /mntdir
If the mount command works add the mounting at the start-up editing the file /etc/fstab and adding the following line
ip.pc.server:/nfsdir /mntdir nfs bg,hard,intr,nosuid,rw 0 0
The meanings of the options are:
bg: If the first NFS mount attempt times out, retry the mount in the background.
hard: The program accessing a file on a NFS mounted file system will hang when the server crashes.
intr: If an NFS file operation has a major time-out and it is hard mounted, then allow signals to interrupt the file operation and cause it to return.
nosuid: Do not allow set-user-identifier or set-group-identifier bits to take effect.
NFS through IPTABLES Firewall Setup
The step-by-step guide that follow is a summary of a very well done guide, that I suggest to read carefully, and it is referred to the server with RedHat 7.3. The same considerations apply to RedHat 8.0 and 9.0. To make it possible to configure a firewall that controls NFS, it is necessary to be able to "tie" down the ports used by these services to fixed values. In the following we suggest some fixed values, but of course you can use different numbers.
1.) Portmapper (portmap): uses port 111 on both TCP and UDP protocols.
2.) NFS daemon (rpc.nfsd): uses port 2049 on both TCP and UDP protocols.
3.) Status (rpc.statd): normally uses a random port allocated by portmapper. It is possible to configure a fixed port number by supplying the "-p" command option when the program is launched. Edit the file /etc/init.d/nfslock, find the line "daemon rpc.statd" and add the option: daemon rpc.statd -p 4000
4.) NFS lock manager (rpc.lockd): normally uses a random port allocated by portmapper. On systems where the lock manager is implemented as a loadable module (RedHat 7.3 and greater, Mandrake 8.2 and greater) the port number used is set at module load time, and so is configured by adding (or editing) a line in the /etc/modules.conf file, as follows:
options lockd nlm_udpport=4001 nlm_tcpport=4001
5.) mountd (rpc.mountd): normally uses a random port allocated by portmapper. It is possible to configure a fixed port number by supplying the “-p” command line option when the program is launched. This can be done by editing the file /etc/sysconfig/network and adding the following line:
MOUNTD_PORT=4002
6.) rquotad (rpc.quotad): if your system is not already running "quota" version 3.08 or later, download it from the linuxquota website. Remove the old version and install the new quota package:
tar zxvf quota-3.08.tar.gz
cd quota-tools
./configure
make
make install
cp rpc.rquotad /usr/sbin/
Now edit the file /etc/rpc and check that the following line is present:
rquotad 100011 rquotaprog quota rquota
It should be there, but if isnt, then add it yourself. Finally edit the file /etc/services and add the following lines:
rquotad 4003/tcp
rquotad 4003/tcp
Note that you can happily use NFS without quotas, and in such case you can skip this point.
7.) Now you have blocked the NFS services' port, and then a simple IPTABLES firewall might look like this:
iptables -A INPUT -f -j ACCEPT -s ip.pc.client
iptables -A INPUT -s ip.pc.client -d 0/0 4000:4003 -p 6 -j ACCEPT
iptables -A INPUT -s ip.pc.client -d 0/0 4000:4003 -p 17 -j ACCEPT
iptables -A INPUT -s ip.pc.client -d 0/0 2049 -p 17 -j ACCEPT
iptables -A INPUT -s ip.pc.client -d 0/0 2049 -p 6 -j ACCEPT
iptables -A INPUT -s ip.pc.client -d 0/0 111 -p 6 -j ACCEPT
iptables -A INPUT -s ip.pc.client -d 0/0 111 -p 17 -j ACCEPT
iptables -A INPUT -s 0/0 -d 0/0 -p 6 -j DENY --syn --log-level 5
iptables -A INPUT -s 0/0 -d 0/0 -p 17 -j DENY --log-level 5
With IPCHAINS the equivalent commands are: ipchains -A input -f -j ACCEPT -s ip.pc.client
ipchains -A input -s ip.pc.client -d 0/0 4000:4003 -p 6 -j ACCEPT
ipchains -A input -s ip.pc.client -d 0/0 4000:4003 -p 17 -j ACCEPT
ipchains -A input -s ip.pc.client -d 0/0 2049 -p 17 -j ACCEPT
ipchains -A input -s ip.pc.client -d 0/0 2049 -p 6 -j ACCEPT
ipchains -A input -s ip.pc.client -d 0/0 111 -p 6 -j ACCEPT
ipchains -A input -s ip.pc.client -d 0/0 111 -p 17 -j ACCEPT
ipchains -A input -s 0/0 -d 0/0 -p 6 -j DENY -y -l
ipchains -A input -s 0/0 -d 0/0 -p 17 -j DENY -l
It is worth mentioning that NFS is not an encrypted protocol, and anyone on the same physical network could sniff the traffic and reassemble the information being passed back and forth.
No comments:
Post a Comment