NFS & Firewalls in RHEL 7

Here is a quick post for you guys. I’m in the midst of creating a follow up to one of my other articles and it dawns on me that I need to do this particular post first.. A post within a post, or before a post, or something. In either case, I need to provide an update to configuring NFS to poke through a firewall in RHEL 7 for the purpose of RHV in a home lab.. or other use cases. Read on, if you will…

Background

In some older posts, I show you how to configure NFSv3 to use predictable ports in RHEL so that it is more IPtables friendly. You don’t want to shut your firewall down and leave your security wide open. And if your firewall is also doing other work for you like port forwarding, then your ~really~ can’t shut it down…

So here’s the skinny: I’m in the process of setting up new systems for “RHV w/ Hosted Engine”, and I’m using an NFS server for the storage. It’s a home lab, so I’m not exactly worried about performance. I really don’t recommend using a Linux server for production NFS in virtualization, but again, this is a home lab for demos and recording demos. I thought it would be good to update the procedures for configuring NFS and IPtables, but I didn’t want the Hosted Engine article to be too big either..

Server Side

In the “olden days”, way back in RHEL 6… (I’m kidding, that was last week, right?) we would use the iptables command as a front end to the “iptables tool”, that in turn talks to the kernel packet filter.. In RHEL 7, the “firewalld” service is now the front end to the iptables tool, that still talks to the kernel packet filter. In my opinion, firewalld and it’s companion “firewall-cmd” is easier to work with.. Regardless, the old service required flushing the old rules and reading in new rules, sometimes requiring connections being lost.. Not so with firewalld..

Ok, so with the condensed lesson out of the way, how do we do this?

Add this to /etc/sysconfig/nfs:

RQUOTAD_PORT=875
LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
STATD_PORT=662

This will require a reboot in order for this to take effect!

Then use the following commands with the firewall-cmd command.. I happened to put it in small script:

#!/bin/sh
firewall-cmd \
  --add-port=111/tcp \
  --add-port=111/udp \
  --add-port=892/tcp \
  --add-port=892/udp \
  --add-port=875/tcp \
  --add-port=875/udp \
  --add-port=662/tcp \
  --add-port=662/udp \
  --add-port=32769/udp \
  --add-port=32803/tcp \
  --permanent
firewall-cmd --permanent --add-service=nfs
firewall-cmd --permanent --add-service=mountd
firewall-cmd --permanent --add-service=rpc-bind
firewall-cmd --reload

After I ran the script, I checked the output of the firewall-cmd listing:

[root@rhvi ~]# firewall-cmd --list-all
public (default)
  interfaces: 
  sources: 
  services: dhcpv6-client mountd nfs rpc-bind ssh
  ports: 32803/tcp 662/udp 662/tcp 111/udp 875/udp 111/tcp 875/tcp 892/udp 892/tcp 32769/udp
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules:

Client Side

Before I configured the firewall (after NFS ports were configured), this is what the NFS clients saw:

[root@rhvh01 ~]# showmount -e rhvi
clnt_create: RPC: Port mapper failure - Unable to receive: errno 113 (No route to host)

After the firewall was configured, all was right with the world:

[root@rhvh01 ~]# showmount -e rhvi
Export list for rhvi:
/he   192.168.0.0/24
/iso  192.168.0.0/24
/data 192.168.0.0/24

So there you have it.. NFS and firewalls updated for RHEL 7. I did this in the context of RHV and Hosted Engine, but you may need it for something else.

Hope this helps,

Captain KVM

 

Agree? Disagree? Something to add to the conversation?