NFS Firewall Rumi, September 9, 2015 Dynamic ports cannot be protected by port filtering firewalls such as iptables. First, you need to configure NFS services to use fixed ports. Open /etc/sysconfig/nfs, enter: # vi /etc/sysconfig/nfs Modify config directive as follows to set TCP/UDP unused ports: # TCP port rpc.lockd should listen on. LOCKD_TCPPORT=lockd-port-number # UDP port rpc.lockd should listen on. LOCKD_UDPPORT=lockd-port-number # Port rpc.mountd should listen on. MOUNTD_PORT=mountd-port-number # Port rquotad should listen on. RQUOTAD_PORT=rquotad-port-number # Port rpc.statd should listen on. STATD_PORT=statd-port-number # Outgoing port statd should used. The default is port is random STATD_OUTGOING_PORT=statd-outgoing-port-number Here is sample listing from one of my production NFS server: LOCKD_TCPPORT=32803 LOCKD_UDPPORT=32769 MOUNTD_PORT=892 RQUOTAD_PORT=875 STATD_PORT=662 STATD_OUTGOING_PORT=2020 Save and close the files. Restart NFS and portmap services: # service portmap restart # service nfs restart # service rpcsvcgssd restart Update /etc/sysconfig/iptables files Open /etc/sysconfig/iptables, enter: # vi /etc/sysconfig/iptables Add the following lines, ensuring that they appear before the final LOG and DROP lines for the RH-Firewall- -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 111 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 111 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 2049 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 32803 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 32769 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 892 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 892 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 875 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 875 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 662 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 662 -j ACCEPT # service iptables restart Related Administrations Configurations (Linux) CentOSiptablesNFS
LAMP on Ubuntu 16.04 using Tasksel May 12, 2018 Quick Install Using Tasksel Instead of installing Apache, MySQL, and PHP separately, tasksel offers a convenient way to get a LAMP stack running quickly. Install tasksel if not already installed by default. sudo apt install tasksel Use tasksel to install the LAMP stack. sudo tasksel install lamp-server Enter the prompt… Read More
Linux service restart shell script November 29, 2013November 29, 2013 I badly needed a script that would check if my running services (in this script it'll check varnish and apache2 services) are alive- if not, it'll restart the dead service and write a log. Pretty handy! Related Read More
BIND ACL to restrict zone trasfer with IP address December 17, 2017 You need to define ACL in /etc/named.conf or /etc/bind/named.conf.local file. Let us say IP 1.2.3.4 and 1.2.3.5 are allowed to transfer your zones. # vi named.conf or vi /etc/bind/named.conf.local Here is sample entry for domain domain.org.bd (ns1 configuration): acl trusted-servers { 1.2.3.4; //ns1 1.2.3.5; //ns2 }; zone “domain.org.bd” { type… Read More