# Iptables code for local NFS server
# Insert after ALLOW_HOST directive in http://www.sns.ias.edu/~jns/files/iptables_ruleset_updated

# James C. Stephens (jns@ias.edu)
# http://www.sns.ias.edu/~jns

   NFS_CLIENTS="`/usr/sbin/exportfs | tr '\t' ' ' | sed -n -e 's/^\(.* \)\(.*\)$/\2/p' | uniq`"

   for nfs_client in $NFS_CLIENTS
   do
     echo $"Setting up NFS to local server from remote client $nfs_client on $iface"

     # portmap to nfs_client
      allow_inbound_tcpservice 111 $iface $nfs_client "    portmapper-tcp"
      allow_inbound_udpservice 111 $iface $nfs_client "    portmapper-udp"

     # nfsd to nfs_client
      allow_inbound_tcpservice 2049 $iface $nfs_client "    nfs-tcp"
      allow_inbound_udpservice 2049 $iface $nfs_client "    nfs-udp"

     #  mountd to nfs_client
      allow_inbound_tcpservice 32767 $iface $nfs_client "    mountd-tcp"
      allow_inbound_udpservice 32767 $iface $nfs_client "    mountd-udp"

     # quotad to nfs_client
     # quotad can't be locked to a port so we have to query the local portmapper for it
      NFS_RQUOTAD_TCP=$(/usr/sbin/rpcinfo -p localhost | grep rquotad | grep tcp | head -1 | sed -e 's/.*tcp[ ]*//' -e 's/[  ].*//')
      echo $NFS_RQUOTAD_TCP
      [ "$NFS_RQUOTAD_TCP" ] && allow_inbound_tcpservice $NFS_RQUOTAD_TCP $iface $nfs_client "    rquotad-tcp"
      NFS_RQUOTAD_UDP=$(/usr/sbin/rpcinfo -p localhost | grep rquotad | grep udp | head -1 | sed -e 's/.*udp[ ]*//' -e 's/[  ].*//')
      echo $NFS_RQUOTAD_UDP
      [ "$NFS_RQUOTAD_UDP" ] && allow_inbound_udpservice $NFS_RQUOTAD_UDP $iface $nfs_client "    rquotad-udp"
        
     # status (nfs.statd)
      allow_inbound_tcpservice 32765 $iface $nfs_client "    status-tcp"
      allow_inbound_udpservice 32765 $iface $nfs_client "    status-udp"

     # nlockmgr (nfs.lockd)
      allow_inbound_tcpservice 32766 $iface $nfs_client "    nlockmgr-tcp"
      allow_inbound_udpservice 32766 $iface $nfs_client "    nlockmgr-udp"

   done