NFS server on Void Linux behind firewall

Let's assume you want to set up NFS server on Void machine and it should be accessible only inside LAN.

Define LAN:

ipset create lan hash:net
ipset add lan 192.168.88.0/24
ipset add lan 192.168.1.0/24

Assume your default INPUT policy is DROP:

iptables -P INPUT DROP

In order to be accessible, your NFS server must use predictable (known) ports whitelisted in firewall.

In /etc/sv/nfs-server/run:

...
exec rpc.mountd --port 892 --foreground

In /etc/sv/statd/run:

...
exec rpc.statd -F -d -L --port 662 --nlm-port 32803 --nlm-udp-port 32769

Now add iptables rules:

for _proto in udp tcp; do
    iptables -A INPUT -p $_proto -m set --match-set lan src --dport 111 -m comment --comment "NFS server: rpcbind" -j ACCEPT
done
for _proto in udp tcp; do
    iptables -A INPUT -p $_proto -m set --match-set lan src --dport 892 -m comment --comment "NFS server: rpc.mountd" -j ACCEPT
done
for _proto in udp tcp; do
    iptables -A INPUT -p $_proto -m set --match-set lan src --dport 662 -m comment --comment "NFS server: statd" -j ACCEPT
done
for _proto in udp tcp; do
    iptables -A INPUT -p $_proto -m set --match-set lan src --dport 2049 -m comment --comment "NFS server" -j ACCEPT
done
iptables -A INPUT -p tcp -m set --match-set lan src --dport 32803 -m comment --comment "NFS server: nlockmgr" -j ACCEPT
iptables -A INPUT -p udp -m set --match-set lan src --dport 32769 -m comment --comment "NFS server: nlockmgr" -j ACCEPT

Finally, enable and start all required services:

for _service in statd rpcbind nfs-server; do
    ln -s /etc/sv/$_service /var/service/
done