Mochabomb

These are my notes from what I got working for a CentOS NFS with Shorewall and SELinux. Here are the following:
* Server called “server” (192.168.1.10) exporting /opt/goodies for machine “client” (192.168.1.15) to use in /usr/local/goodies
* Both are running *nix with Shorewall firewall
* This config works for CentOS - others may need tweaking. On Windows get a VMware server running with 2 instances of CentOS if you’d like to play along.

Server
1. Add this to /etc/init.d/nfslock after a line with daemon rpc.statd before the start() function

STATD_PORT=4000

2. run the following commands:

[root@server]# echo "MOUNTD_PORT=4002" >> /etc/sysconfig/network
[root@server]# echo "options lockd nlm_udpport=4001 nlm_tcpport=4001" >> /etc/modprobe.conf
[root@server]# echo "rquotad 4003/tcp" >> /etc/services

3. portmap, nfs and nfslock need to be running ..

[root@server]# chkconfig --list | egrep 'nfs|nfslock|portmap'
nfs             0:off   1:off   2:off   3:off   4:off   5:off   6:off
nfslock         0:off   1:off   2:off   3:off   4:off   5:off   6:off
portmap         0:off   1:off   2:off   3:off   4:off   5:off   6:off

To autostart any services, run the following:

[root@server]# chkconfig --levels 235 nfs on

4. Create the /etc/shorewall/macro.NFS file

#
# Shorewall version 3.4 - NFS Macro
#
# /usr/share/shorewall/macro.NFS
#
#       This macro handles NFS traffic. You need to invoke
#       this macro in both directions.  Beware!  This rule opens a lot
#       of ports, and could possibly be used to compromise your firewall
#       if not used with care.  You should only allow NFS traffic
#       between hosts you fully trust.
#
###############################################################################
#ACTION SOURCE  DEST    PROTO   DEST    SOURCE  ORIGINAL        RATE    USER/
#                               PORT    PORT(S) DEST            LIMIT   GROUP
PARAM   -       -       udp     111,2049
PARAM   -       -       tcp     111,2049
PARAM   -       -       udp     4000:4003
PARAM   -       -       tcp     4000:4003
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

5. Allow NFS traffic through the IPtables or Shorewall firewall, edit /etc/shorewall/rules; here we allow traffic only between the server and two other systems. Be aware that NFS is IP based - ensure your network is secure..

NFS/ACCEPT      net:192.168.1.15,192.168.1.17     $FW
NFS/ACCEPT      $FW     net:192.168.1.15,192.168.1.17

Alternatively if you are running iptables manually, you can enter these rules: here I made a script to make life easier. That last rule is needed to end the firewall. I prefer to use Shorewall because as it says, “IPtables made easy” and its -really- easy to typo these commands and lose time trying to get this working.
The name of my firewall was RH-Firewall-1, substitute as needed.

#!/bin/sh
echo "nfs & iptables setup"
echo "Network IP (eg; 192.168.1.0): \c"
read networkip
echo "Subnet mask without the slash (eg; /24 is entered as 24): \c"
read subnet
iptables -A -INPUT -f -j ACCEPT -s $networkip/$subnet
iptables -A RH-Firewall-1-INPUT -s $networkip/$subnet -p udp -m udp --dport 111 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -s $networkip/$subnet -p tcp -m state --state NEW -m tcp --dport 111 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -s $networkip/$subnet -p udp -m udp --dport 2049 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -s $networkip/$subnet -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -s $networkip/$subnet -p udp -m udp --dport 4000 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -s $networkip/$subnet -p udp -m udp --dport 4001 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -s $networkip/$subnet -p udp -m udp --dport 4002 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -s $networkip/$subnet -p udp -m udp --dport 4003 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -s $networkip/$subnet -p tcp -m state --state NEW -m tcp --dport 4000 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -s $networkip/$subnet -p tcp -m state --state NEW -m tcp --dport 4001 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -s $networkip/$subnet -p tcp -m state --state NEW -m tcp --dport 4002 -j ACCEPT
iptables -A RH-Firewall-1-INPUT -s $networkip/$subnet -p tcp -m state --state NEW -m tcp --dport 4003 -j ACCEPT
iptables -D RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited; iptables -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

If you used shorewall, it will require a restart”

[root@server]# shorewall check

If the check passed, you are safe to restart:

[root@server]# shorewall restart

6. With services and firewall running properly, we can export a directory; edit /etc/exports
(More on this topic can be found at http://nfs.sourceforge.net)

#
# format example:
# /dir/of/sharedfiles  192.168.1.30(ro,root_squash,sync)
#
/opt/goodies      192.168.1.15(ro,sync)       # share read-only
/opt/goodies      192.168.1.17(rw,root_squash,sync)   # share read write, root squash

Client
1. Repeat steps 1-5 to setup the client

2. Create directories to mount the share, for this example its /usr/local/goodies. The file /opt/goodies/sometool.sh will show on the client as /usr/local/goodies/sometool.sh

[root@server]# mkdir /usr/local/goodies; chmod 755 /usr/local/goodies

3. edit /etc/fstab - here we are mounting as read-only

192.168.1.10:/opt/goodies      /usr/local/goodies     nfs     ro,sync         0 0

4. mount the nfs share:

[root@server]# mount /usr/local/goodies

5. Test it out - you should be able to read files from here. If not, re-check your work and check /var/log/messages for error messages.

Troubleshooting
Server: try these commands -

[root@server]#  service nfs reload 

Client:

[root@server]# service netfs restart

SELinux
If you got this far - awesome - next step is SELinux. There are many opinions about it, mine is I want to use it - I like its idealogy.

So, both the server and client in this case can be running SELinux in enforcing mode and work with NFS.

1. Server and client:

[root@server]# setsebool -P use_nfs_home_dirs 1
[root@client]# setsebool -P use_nfs_home_dirs 1

2. To turn on and off SELinux ( 0 = off, 1 = on):

[root@server]# echo "0" >/selinux/enforce

At this you could reboot both systems and if SELinux has been activate, might as well to ensure all works after a reboot.

This should get NFS working - next is tuning. NFS is a deep topic and some study will result in a secure and useful setup.

Gregg [aaattt] mochabomb [dot] com