NFS server on Void Linux behind firewall
28 May 2021
Let's assume you want to set up NFS server on Void machine and it should be accessible only inside LAN.
Define LAN:
ipset create lan hash:net
ipset add lan 192.168.88.0/24
ipset add lan 192.168.1.0/24
Assume your default INPUT policy is DROP:
iptables -P INPUT DROP
In order to be accessible, your NFS server must use predictable (known) ports whitelisted in firewall.
In /etc/sv/nfs-server/run
:
...
exec rpc.mountd --port 892 --foreground
In /etc/sv/statd/run
:
...
exec rpc.statd -F -d -L --port 662 --nlm-port 32803 --nlm-udp-port 32769
Now add iptables rules:
for _proto in udp tcp; do
iptables -A INPUT -p $_proto -m set --match-set lan src --dport 111 -m comment --comment "NFS server: rpcbind" -j ACCEPT
done
for _proto in udp tcp; do
iptables -A INPUT -p $_proto -m set --match-set lan src --dport 892 -m comment --comment "NFS server: rpc.mountd" -j ACCEPT
done
for _proto in udp tcp; do
iptables -A INPUT -p $_proto -m set --match-set lan src --dport 662 -m comment --comment "NFS server: statd" -j ACCEPT
done
for _proto in udp tcp; do
iptables -A INPUT -p $_proto -m set --match-set lan src --dport 2049 -m comment --comment "NFS server" -j ACCEPT
done
iptables -A INPUT -p tcp -m set --match-set lan src --dport 32803 -m comment --comment "NFS server: nlockmgr" -j ACCEPT
iptables -A INPUT -p udp -m set --match-set lan src --dport 32769 -m comment --comment "NFS server: nlockmgr" -j ACCEPT
Finally, enable and start all required services:
for _service in statd rpcbind nfs-server; do
ln -s /etc/sv/$_service /var/service/
done
If you have any comments, contact me by email.