# Iptables code for remote NFS server # Insert after ALLOW_HOST directive in http://www.sns.ias.edu/~jns/files/iptables_ruleset_updated # James C. Stephens (jns@ias.edu) # http://www.sns.ias.edu/~jns unset NFS_SERVERS NFS_SERVERS=`grep nfs $FSTAB | cut -d':' -f1 | uniq` NFS_SERVERS=`echo $NFS_SERVERS | awk '{for(i=1;i<=NF;i++) print $i;}'|sort|uniq` for nfs_server in $NFS_SERVERS do echo $"Setting up NFS to remote server $nfs_server from local client on $iface" # portmap to nfs_server allow_outbound_tcpservice 111 $iface $nfs_server " portmapper-tcp" allow_outbound_udpservice 111 $iface $nfs_server " portmapper-udp" # nfsd to nfs_server allow_outbound_tcpservice 2049 $iface $nfs_server " nfs-tcp" allow_outbound_udpservice 2049 $iface $nfs_server " nfs-udp" # mountd etc. on the nfs_server # based on code by Spijker NFS_MOUNTD_TCP=$($RPCINFO -p $nfs_server | grep mountd | grep tcp | head -1 | sed -e 's/.*tcp[ ]*//' -e 's/[ ].*//') NFS_MOUNTD_UDP=$($RPCINFO -p $nfs_server | grep mountd | grep udp | head -1 | sed -e 's/.*udp[ ]*//' -e 's/[ ].*//') NFS_STATUS_TCP=$($RPCINFO -p $nfs_server | grep status | grep tcp | head -1 | sed -e 's/.*tcp[ ]*//' -e 's/[ ].*//') NFS_STATUS_UDP=$($RPCINFO -p $nfs_server | grep status | grep udp | head -1 | sed -e 's/.*udp[ ]*//' -e 's/[ ].*//') NFS_NLOCKMGR_TCP=$($RPCINFO -p $nfs_server | grep nlockmgr | grep tcp | head -1 | sed -e 's/.*tcp[ ]*//' -e 's/[ ].*//') NFS_NLOCKMGR_UDP=$($RPCINFO -p $nfs_server | grep nlockmgr | grep udp | head -1 | sed -e 's/.*udp[ ]*//' -e 's/[ ].*//') NFS_RQUOTAD_TCP=$($RPCINFO -p $nfs_server | grep rquotad | grep tcp | head -1 | sed -e 's/.*tcp[ ]*//' -e 's/[ ].*//') NFS_RQUOTAD_UDP=$($RPCINFO -p $nfs_server | grep rquotad | grep udp | head -1 | sed -e 's/.*udp[ ]*//' -e 's/[ ].*//') echo $NFS_MOUNTD_TCP echo $NFS_MOUNTD_UDP echo $NFS_STATUS_TCP echo $NFS_STATUS_UDP echo $NFS_NLOCKMGR_TCP echo $NFS_NLOCKMGR_UDP echo $NFS_RQUOTAD_TCP echo $NFS_RQUOTAD_UDP [ "$NFS_MOUNTD_TCP" ] && allow_outbound_tcpservice $NFS_MOUNTD_TCP $iface $nfs_server " mountd-tcp" [ "$NFS_MOUNTD_UDP" ] && allow_outbound_udpservice $NFS_MOUNTD_UDP $iface $nfs_server " mountd-udp" [ "$NFS_STATUS_TCP" ] && allow_outbound_tcpservice $NFS_STATUS_TCP $iface $nfs_server " status-tcp" [ "$NFS_STATUS_UDP" ] && allow_outbound_udpservice $NFS_STATUS_UDP $iface $nfs_server " status-udp" [ "$NFS_NLOCKMGR_TCP" ] && allow_outbound_tcpservice $NFS_NLOCKMGR_TCP $iface $nfs_server " nlockmgr-tcp" [ "$NFS_NLOCKMGR_UDP" ] && allow_outbound_udpservice $NFS_NLOCKMGR_UDP $iface $nfs_server " nlockmgr-udp" [ "$NFS_RQUOTAD_TCP" ] && allow_outbound_tcpservice $NFS_RQUOTAD_TCP $iface $nfs_server " rquotad-tcp" [ "$NFS_RQUOTAD_UDP" ] && allow_outbound_udpservice $NFS_RQUOTAD_UDP $iface $nfs_server " rquotad-udp" # status (nfs.statd) allow_inbound_tcpservice 32765 $iface $nfs_server " status-tcp" allow_inbound_udpservice 32765 $iface $nfs_server " status-udp" # nlockmgr (nfs.lockd) allow_inbound_tcpservice 32766 $iface $nfs_server " nlockmgr-tcp" allow_inbound_udpservice 32766 $iface $nfs_server " nlockmgr-udp" done unset NFS_SERVERS unset NFS_MOUNTD_TCP unset NFS_MOUNTD_UDP unset NFS_STATUS_TCP unset NFS_STATUS_UDP unset NFS_NLOCKMGR_TCP unset NFS_NLOCKMGR_UDP unset NFS_RQUOTAD_TCP unset NFS_RQUOTAD_UDP