Here is a quick post for you guys. I’m in the midst of creating a follow up to one of my other articles and it dawns on me that I need to do this particular post first.. A post within a post, or before a post, or something. In either case, I need to provide an update to configuring NFS to poke through a firewall in RHEL 7 for the purpose of RHV in a home lab.. or other use cases. Read on, if you will…
In some older posts, I show you how to configure NFSv3 to use predictable ports in RHEL so that it is more IPtables friendly. You don’t want to shut your firewall down and leave your security wide open. And if your firewall is also doing other work for you like port forwarding, then your ~really~ can’t shut it down…
So here’s the skinny: I’m in the process of setting up new systems for “RHV w/ Hosted Engine”, and I’m using an NFS server for the storage. It’s a home lab, so I’m not exactly worried about performance. I really don’t recommend using a Linux server for production NFS in virtualization, but again, this is a home lab for demos and recording demos. I thought it would be good to update the procedures for configuring NFS and IPtables, but I didn’t want the Hosted Engine article to be too big either..
In the “olden days”, way back in RHEL 6… (I’m kidding, that was last week, right?) we would use the
iptables command as a front end to the “iptables tool”, that in turn talks to the kernel packet filter.. In RHEL 7, the “firewalld” service is now the front end to the iptables tool, that still talks to the kernel packet filter. In my opinion, firewalld and it’s companion “firewall-cmd” is easier to work with.. Regardless, the old service required flushing the old rules and reading in new rules, sometimes requiring connections being lost.. Not so with firewalld..
Ok, so with the condensed lesson out of the way, how do we do this?
Add this to /etc/sysconfig/nfs:
RQUOTAD_PORT=875 LOCKD_TCPPORT=32803 LOCKD_UDPPORT=32769 MOUNTD_PORT=892 STATD_PORT=662
This will require a reboot in order for this to take effect!
Then use the following commands with the
firewall-cmd command.. I happened to put it in small script:
#!/bin/sh firewall-cmd \ --add-port=111/tcp \ --add-port=111/udp \ --add-port=892/tcp \ --add-port=892/udp \ --add-port=875/tcp \ --add-port=875/udp \ --add-port=662/tcp \ --add-port=662/udp \ --add-port=32769/udp \ --add-port=32803/tcp \ --permanent firewall-cmd --permanent --add-service=nfs firewall-cmd --permanent --add-service=mountd firewall-cmd --permanent --add-service=rpc-bind firewall-cmd --reload
After I ran the script, I checked the output of the firewall-cmd listing:
[root@rhvi ~]# firewall-cmd --list-all public (default) interfaces: sources: services: dhcpv6-client mountd nfs rpc-bind ssh ports: 32803/tcp 662/udp 662/tcp 111/udp 875/udp 111/tcp 875/tcp 892/udp 892/tcp 32769/udp masquerade: no forward-ports: icmp-blocks: rich rules:
Before I configured the firewall (after NFS ports were configured), this is what the NFS clients saw:
[root@rhvh01 ~]# showmount -e rhvi
clnt_create: RPC: Port mapper failure - Unable to receive: errno 113 (No route to host)
After the firewall was configured, all was right with the world:
[root@rhvh01 ~]# showmount -e rhvi Export list for rhvi: /he 192.168.0.0/24 /iso 192.168.0.0/24 /data 192.168.0.0/24
So there you have it.. NFS and firewalls updated for RHEL 7. I did this in the context of RHV and Hosted Engine, but you may need it for something else.
Hope this helps,