How-To: Secure NFS Using iptables
December 26, 2011 Leave a comment
Today, I am going to demonstrate how to use the Netfilter firewall and iptables to assist in securing NFS services. While NFS already has some access controls placed in the /etc/exports file, iptables supplies another layer of security prior to reaching the application layer.
Define the Port Numbers
By default the portmapper will dynamically assign ports for many of the NFS services. This becomes tricky when trying to secure using iptables as static ports will be specified in the firewall rules.
There will be a total of six ports which need to be filtered. Port 111 for portmap and 2049 for NFS services are set. To simplify our filter rules, we can pick four contiguous port numbers for the other NFS services. Typically, high port numbers will be used, but we need to ensure they are not being used by any other services. Run the following two commands and choose four port numbers which are not in use.
netstat -tlnp netstat -ulnp
For this example, I have chosen ports 6001 – 6004, but you can choose different port numbers. Next, edit the /etc/sysconfig/nfs file. By default, everything is commented. Find the following lines, uncomment them, and enter the port numbers of your choice.
RQUOTAD_PORT=6001 LOCKD_TCPPORT=6002 LOCKD_UDPPORT=6002 MOUNTD_PORT=6003 STATD_PORT=6004
Note that lockd specifies line items for both both tpc and udp. It’s okay to use the same number for both entries. After your changes are made, save and close the /etc/sysconfig/nfs file.
Configure the Firewall
Configuring the firewall will take place from the CLI using the iptables command. For this example, we will be using the INPUT chain of the filter table to restrict access to clients coming from 10.1.1.0/24. We will be adding rules for the ports specified in the /etc/sysconfig/nfs file as well as port 111 for the portmapper and 2049 for NFS.
iptables -A INPUT -s 127.0.0.1 -p tcp --dport 111 -j ACCEPT iptables -A INPUT -s 127.0.0.1 -p udp --dport 111 -j ACCEPT iptables -A INPUT -s 10.1.1.0/24 -p tcp --dport 111 -j ACCEPT iptables -A INPUT -s 10.1.1.0/24 -p udp --dport 111 -j ACCEPT iptables -A INPUT -s 10.1.1.0/24 -p tcp --dport 6001:6004 -j ACCEPT iptables -A INPUT -s 10.1.1.0/24 -p udp --dport 6001:6004 -j ACCEPT iptables -A INPUT -s 10.1.1.0/24 -p tcp --dport 2049 -j ACCEPT iptables -A INPUT -s 10.1.1.0/24 -p udp --dport 2049 -j ACCEPT
Run the ‘iptables -L’ command and verify the rules have been entered correctly.
Restart NFS Services
For the changes in port numbers to take place, both the nfslock and nfs service need to be restarted.
service nfslock restart service nfs restart
Run ‘rpcinfo -p’ and examine the contents of the port column. The ports listed should equal the ports in the firewall rules. If not, verify the contents of /etc/sysconfig/nfs and restart the services again.
To test, attempt to mount a NFS share from a client in the range specified in the firewall rules. To troubleshoot connectivity issues, try using nmap from the client and complete a tcp and udp port scan. In addition, check the log files on the NFS server. If the problem is suspected to be firewall related, restart the iptables service to remove any changes you have made.
Save the Firewall Configuration
All this work may be for nothing if the firewall rules are not saved. Interactive changes to Netfilter using iptables at the CLI will disappear if the iptables service is restarted prior to saving the rules.
service iptables save
Everything should now be setup and working. Your NFS service now has another layer of security.