NFS 添加防火墙规则

NFS 用到的服务有 portmapper nfs rquotad nlockmgr mountd
通过命令 rpcinfo -p 可查看nfs使用的端口

# rpcinfo -p
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  60219  status
    100024    1   tcp  58171  status
    100005    1   udp  20048  mountd
    100005    1   tcp  20048  mountd
    100005    2   udp  20048  mountd
    100005    2   tcp  20048  mountd
    100005    3   udp  20048  mountd
    100005    3   tcp  20048  mountd
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100227    3   tcp   2049  nfs_acl
    100003    3   udp   2049  nfs
    100003    4   udp   2049  nfs
    100227    3   udp   2049  nfs_acl
    100021    1   udp  57964  nlockmgr
    100021    3   udp  57964  nlockmgr
    100021    4   udp  57964  nlockmgr
    100021    1   tcp  38954  nlockmgr
    100021    3   tcp  38954  nlockmgr
    100021    4   tcp  38954  nlockmgr

其中 portmapper nfs 服务端口是固定的分别是 111 2049

另外 rquotad nlockmgr mountd 服务端口是随机的。由于端口是随机的，这导致防火墙无法设置。

这时需要配置/etc/sysconfig/nfs 使 rquotad nlockmgr mountd 的端口固定。

固定 nfs 服务端口

修改以下内容，端口可以自定义：

RQUOTAD_PORT=30001
LOCKD_TCPPORT=30002
LOCKD_UDPPORT=30003
MOUNTD_PORT=30004

重启nfs服务

# service nfs restart
# rpcinfo -p
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  60458  status
    100024    1   tcp  53907  status
    100005    1   udp  30003  mountd
    100005    2   udp  30003  mountd
    100005    3   udp  30003  mountd
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100227    3   tcp   2049  nfs_acl
    100003    3   udp   2049  nfs
    100003    4   udp   2049  nfs
    100227    3   udp   2049  nfs_acl
    100021    1   udp  30002  nlockmgr
    100021    3   udp  30002  nlockmgr
    100021    4   udp  30002  nlockmgr
    100021    1   tcp  30001  nlockmgr
    100021    3   tcp  30001  nlockmgr
    100021    4   tcp  30001  nlockmgr

添加 nfs 防火墙规则

因为现在有使用iptables 也有使用firewalld防火墙，下面分别对两种防火墙规则进行配置

添加 nfs iptables防火墙规则

iptables -A INPUT -s 192.168.223.0/24 -p tcp --dport 111 -j ACCEPT
iptables -A INPUT -s 192.168.223.0/24 -p udp --dport 111 -j ACCEPT
iptables -A INPUT -s 192.168.223.0/24 -p tcp --dport 2049 -j ACCEPT
iptables -A INPUT -s 192.168.223.0/24 -p udp --dport 2049 -j ACCEPT
iptables -A INPUT -s 192.168.223.0/24 -p tcp --dport 30001:30003 -j ACCEPT
iptables -A INPUT -s 192.168.223.0/24 -p udp --dport 30001:30003 -j ACCEPT

查看IPTABLES

# iptables -L

保存IPTABLES

# iptables-save > /etc/sysconfig/iptables

添加 nfs firewalld防火墙规则

如果使用firewalld防火墙添加规则，

方法一 直接添加规则

firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.223.0/24" port protocol="tcp" port="111" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.223.0/24" port protocol="udp" port="111" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.223.0/24" port protocol="tcp" port="2049" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.223.0/24" port protocol="udp" port="2049" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.223.0/24" port protocol="tcp" port="30001" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.223.0/24" port protocol="udp" port="30001" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.223.0/24" port protocol="tcp" port="30002" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.223.0/24" port protocol="udp" port="30002" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.223.0/24" port protocol="tcp" port="30003" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.223.0/24" port protocol="udp" port="30003" accept"

重新加载firewalld防火墙规则生效

# firewall-cmd --reload
#保存的规则会写入到 /etc/firewalld/zones/public.xml 也可以直接修改这个文件然后reload

方法二 添加services配置文件

将nfs服务添加到 /etc/firewalld/services/ 下，修改服务端口

# cp /usr/lib/firewalld/services/nfs.xml /etc/firewalld/services/
# vim /etc/firewalld/services/nfs.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>NFS4</short>
  <description>The NFS4 protocol is used to share files via TCP networking. You will need to have the NFS tools installed and properly configure your NFS server for this option to be useful.</description>
  <port protocol="tcp" port="111"/>
  <port protocol="udp" port="111"/>
  <port protocol="tcp" port="2049"/>
  <port protocol="udp" port="2049"/>
  <port protocol="tcp" port="30001"/>
  <port protocol="udp" port="30001"/>
  <port protocol="tcp" port="30002"/>
  <port protocol="udp" port="30002"/>
  <port protocol="tcp" port="30003"/>
  <port protocol="udp" port="30003"/>
</service>

然后在 /etc/firewalld/zones/ 中将nfs加进来，并限制IP访问

# vim /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
  <rule family="ipv4">
    <source address="192.168.223.0/24"/>
    <service name="nfs"/>
    <accept/>
  </rule>
</zone>

重新加载 规则

# firewall-cmd --reload
# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens33
  sources: 
  services: dhcpv6-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	rule family="ipv4" source address="192.168.223.0/24" service name="nfs" accept

这样防火墙规则就设置完了