makewhatis

Random Linux Garble.

NFS 4 Mounts on Red Hat Enterprise Linux 6 With Iptables Enabled.

So when running nfs under RHEL 6 with iptbables, there is some extra things to do in order to make it work. If you run system-config-firewall, you will notice it opens up 2049, the port for NFS 4. Thats great and all, but that alone will not allow your nfs mounts to be seen.

This actually tripped me up. I figured that 2049 would be the only thing that would have to be opened, and that if anything else was required to be opened, surely the firewall tool would let me know.

If you read on the rhel 6 guide, it outlines what needs to be done. http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/s2-nfs-nfs-firewall-config.html

I checked out what ports my services were currently listenting on:

rpcinfo -p | awk '{print $3 " " $4 " " $5}' | sort -k 2 | uniq -f 1

So I opened up the firewall for these ports, and that worked great. But then I thought about it, and realized that these ports might change on reboot and make my changes obsolete. Sure enough after a reboot I get the same error on the client

rpc mount export: RPC: Unable to receive; errno = No route to host

So to make the change permanent I had to do a little more work. Next I had to go into the /etc/sysconfig/nfs and uncomment the following lines:

LOCKD_TCPPORT=32803  
LOCKD_UDPPORT=32769  
MOUNTD_PORT=892  
STATD_PORT=662

Then I added these rules to my iptables to open up ports for this service.

-A INPUT -p udp -m state --state NEW -m udp --dport 111 -j ACCEPT  
-A INPUT -p tcp -m state --state NEW -m tcp --dport 111 -j ACCEPT  
-A INPUT -p udp -m state --state NEW -m udp --dport 662 -j ACCEPT  
-A INPUT -p tcp -m state --state NEW -m tcp --dport 662 -j ACCEPT  
-A INPUT -p udp -m state --state NEW -m udp --dport 875 -j ACCEPT  
-A INPUT -p tcp -m state --state NEW -m tcp --dport 875 -j ACCEPT  
-A INPUT -p udp -m state --state NEW -m udp --dport 892 -j ACCEPT  
-A INPUT -p tcp -m state --state NEW -m tcp --dport 892 -j ACCEPT  
-A INPUT -p udp -m state --state NEW -m udp --dport 2049 -j ACCEPT  
-A INPUT -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT  
-A INPUT -p udp -m state --state NEW -m udp --dport 32769 -j ACCEPT  
-A INPUT -p tcp -m state --state NEW -m tcp --dport 32803 -j ACCEPT

Then I restarted the nfs and iptables services and all works great.