Allowing NFS through iptables/firewalld

From DISI
Jump to navigation Jump to search

CentOS 7: firewalld

# Look at current firewalld settings: 
[root@qof ~]# firewall-cmd --list-all
public (active)
 target: default
 icmp-block-inversion: no
 interfaces: eno1 eno2
 sources: 
 services: ssh dhcpv6-client
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 
# add NFS services to firewalld's allowances.  Use permanent flag so that services remain allowed even after firewalld reloads
[root@qof ~]# firewall-cmd --permanent --add-service=nfs 
success
[root@qof ~]# firewall-cmd --permanent --add-service=mountd
success
[root@qof ~]# firewall-cmd --permanent --add-service=rpc-bind
success
[root@qof ~]# firewall-cmd --reload
success
# Verify changes stay
[root@qof ~]# firewall-cmd --list-all
public (active)
 target: default
 icmp-block-inversion: no
 interfaces: eno1 eno2
 sources: 
 services: ssh dhcpv6-client nfs mountd rpc-bind
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules:


CentOS 6: iptables

# Edit /etc/sysconfig/iptables.  Add lines: 
-A INPUT -m state --state NEW -m tcp -p tcp -s <subnet> --dport 2049 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp -s <subnet> --dport 2049 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s <subnet> --dport 111 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp -s <subnet> --dport 111 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s <subnet> --dport 875 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp -s <subnet> --dport 875 -j ACCEPT

# reload iptables  
$ service iptables restart
# verify firewall configuration
$ iptables -L -n
Retrieved from "http://wiki.docking.org/index.php?title=Allowing_NFS_through_iptables/firewalld&oldid=10785"