NFS Firewall Rumi, September 9, 2015 Dynamic ports cannot be protected by port filtering firewalls such as iptables. First, you need to configure NFS services to use fixed ports. Open /etc/sysconfig/nfs, enter: # vi /etc/sysconfig/nfs Modify config directive as follows to set TCP/UDP unused ports: # TCP port rpc.lockd should listen on. LOCKD_TCPPORT=lockd-port-number # UDP port rpc.lockd should listen on. LOCKD_UDPPORT=lockd-port-number # Port rpc.mountd should listen on. MOUNTD_PORT=mountd-port-number # Port rquotad should listen on. RQUOTAD_PORT=rquotad-port-number # Port rpc.statd should listen on. STATD_PORT=statd-port-number # Outgoing port statd should used. The default is port is random STATD_OUTGOING_PORT=statd-outgoing-port-number Here is sample listing from one of my production NFS server: LOCKD_TCPPORT=32803 LOCKD_UDPPORT=32769 MOUNTD_PORT=892 RQUOTAD_PORT=875 STATD_PORT=662 STATD_OUTGOING_PORT=2020 Save and close the files. Restart NFS and portmap services: # service portmap restart # service nfs restart # service rpcsvcgssd restart Update /etc/sysconfig/iptables files Open /etc/sysconfig/iptables, enter: # vi /etc/sysconfig/iptables Add the following lines, ensuring that they appear before the final LOG and DROP lines for the RH-Firewall- -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 111 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 111 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 2049 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 32803 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 32769 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 892 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 892 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 875 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 875 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 662 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 662 -j ACCEPT # service iptables restart Related Administrations Configurations (Linux) CentOSiptablesNFS
Cloning Openvz Proxmox PVE container guest machine November 4, 2015December 13, 2016 I first created a ‘template’ vm containing all stuff I need and using a temporarily ip adres. In the network config file of eth0 (/etc/sysconfig/network-scripts/ifcfg-eth0) I comment out the HWADDRESS line, else it will not come up with another mac address… Stop this ‘template’ vm as it is just used… Read More
1:1 NAT firewall using pfsense October 19, 2015October 19, 2015 Assuming you are planning to setup your server infrastructure behind firewall- pfsense. You have a Public IP- 114.130.56.x to be pointed to your private lan server with 192.168.14.x. Let’s begin- Step-1 Adding public IP to the WAN interface “Firewall > Virtual IPs ” as below- Step-2 Now move on the… Read More
Build an openDNS recursive resolver DNS using Bind December 18, 2021August 9, 2023 It’s a small thing, but someone might feel it to be useful of running a public DNS like google has 8.8.8.8. You actually can build a recursive DNS and serve to the world (instead to your network user only! 🙂 ) Install Bind apt install bind9 bind9utils -y It’s pretty… Read More