How-To: Secure NFS Using iptables

Today, I am going to demonstrate how to use the Netfilter firewall and iptables to assist in securing NFS services.  While NFS already has some access controls placed in the /etc/exports file, iptables supplies another layer of security prior to reaching the application layer.

Define the Port Numbers

By default the portmapper will dynamically assign ports for many of the NFS services.  This becomes tricky when trying to secure using iptables as static ports will be specified in the firewall rules.

There will be a total of six ports which need to be filtered.  Port 111 for portmap and 2049 for NFS services are set.  To simplify our filter rules, we can pick four contiguous port numbers for the other NFS services.  Typically, high port numbers will be used, but we need to ensure they are not being used by any other services.  Run the following two commands and choose four port numbers which are not in use.

netstat -tlnp
netstat -ulnp

For this example, I have chosen ports 6001 – 6004, but you can choose different port numbers.  Next, edit the /etc/sysconfig/nfs file.  By default, everything is commented.  Find the following lines, uncomment them, and enter the port numbers of your choice.

RQUOTAD_PORT=6001
LOCKD_TCPPORT=6002
LOCKD_UDPPORT=6002
MOUNTD_PORT=6003
STATD_PORT=6004

Note that lockd specifies line items for both both tpc and udp.  It’s okay to use the same number for both entries. After your changes are made, save and close the /etc/sysconfig/nfs file.

Configure the Firewall

Configuring the firewall will take place from the CLI using the iptables command.  For this example, we will be using the INPUT chain of the filter table to restrict access to clients coming from 10.1.1.0/24.  We will be adding rules for the ports specified in the /etc/sysconfig/nfs file as well as port 111 for the portmapper and 2049 for NFS.

iptables -A INPUT -s 127.0.0.1 -p tcp --dport 111 -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -p udp --dport 111 -j ACCEPT
iptables -A INPUT -s 10.1.1.0/24 -p tcp --dport 111 -j ACCEPT
iptables -A INPUT -s 10.1.1.0/24 -p udp --dport 111 -j ACCEPT
iptables -A INPUT -s 10.1.1.0/24 -p tcp --dport 6001:6004 -j ACCEPT
iptables -A INPUT -s 10.1.1.0/24 -p udp --dport 6001:6004 -j ACCEPT
iptables -A INPUT -s 10.1.1.0/24 -p tcp --dport 2049 -j ACCEPT
iptables -A INPUT -s 10.1.1.0/24 -p udp --dport 2049 -j ACCEPT

Run the ‘iptables -L’ command and verify the rules have been entered correctly.

Restart NFS Services

For the changes in port numbers to take place, both the nfslock and nfs service need to be restarted.

service nfslock restart
service nfs restart

Run ‘rpcinfo -p’ and examine the contents of the port column.  The ports listed should equal the ports in the firewall rules.  If not, verify the contents of /etc/sysconfig/nfs and restart the services again.

Testing

To test, attempt to mount a NFS share from a client in the range specified in the firewall rules.  To troubleshoot connectivity issues, try using nmap from the client and complete a tcp and udp port scan.  In addition, check the log files on the NFS server.  If the problem is suspected to be firewall related, restart the iptables service to remove any changes you have made.

Save the Firewall Configuration

All this work may be for nothing if the firewall rules are not saved.  Interactive changes to Netfilter using iptables at the CLI will disappear if the iptables service is restarted prior to saving the rules.

service iptables save

Everything should now be setup and working.  Your NFS service now has another layer of security.

About these ads

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s