Re: recipe/example | nftables for Internet nfs4? << iif enp1s0 tcp dport 2049 counter accept comment "allow nfs"

[Calum Mackay <calum.mackay@oracle.com>]

On 24/07/2024 5:17 pm, linux-nfs@trodman.com wrote:
> On Tue 7/23/24 22:28 +0100 Calum Mackay wrote:
>> On 23/07/2024 8:53 pm, linux-nfs@trodman.com wrote:
>>> I have a fedora server on Internet sharing out NFS; working ok for 3+years w/firewalld.  I'm going w/pure nftables on a new server. Does anyone have a recipe/example for setting up an NFS server using nftables?
>>
>> I'm still stuck on iptables, but I imagine it ought to be something
>> simple like adding this to your NFSv4 server's inbound chain:
>>
>> 	tcp dport 2049 accept
>>
>> assuming you have a default accept policy on your outbound chain.
>>
>> That's just for NFSv4 over TCP, of course. And you might want to add ct
>> connection tracking state, etc.
> 
> Thank you Calum.
> 
> As you suggested, I added:
> 
> iif enp1s0 tcp dport 2049               counter accept comment "allow nfs"
> 
> I then tried mount -v ... and it got farther but failed
> 
>      mount.nfs4: mount(2): Permission denied
> 
> Then I restarted nftables.service, It worked!

That's great, Tom; thanks for letting me know, and for the detail below.

One point: you should be able to change the numeric port "2049" to the 
service "{nfs}", to make it more in line with your other services, if 
you prefer.

best wishes,
calum.

> 
> --
> thanks!
> Tom
> 
> --8<---------------cut here---------------start------------->8---
> # cat /etc/sysconfig/nftables.conf |_rmcm ## comments stripped. enp1s0 faces Internet
> flush ruleset
> table inet filter {
>      chain input {
>          type filter hook input priority 0;
>          iif enp1s0 tcp dport {ssh}              counter accept comment "allow ssh"
>          iif enp1s0 tcp dport {http, https}      counter accept comment "allow http, https"
>          iif enp1s0 tcp dport 2049               counter accept comment "allow nfs"
>          iif enp1s0 tcp dport {smtp}             counter accept comment "smtp"
>          iif enp1s0 ct state {established, related} counter accept comment "allow established Internet packets"
>          iif enp1s0 counter drop comment "dropped Internet packets"
>          iif enp2s0 accept comment "allow local packets"
>      }
>      chain forward {
>          type filter hook forward priority 0;
>          iif enp1s0 oif enp2s0 ct state {established, related} counter accept comment "allow Internet est/relat"
>          iif enp2s0 oif enp1s0 counter accept comment "allow lan to Internet"
>          iif enp1s0 drop
>      }
>      chain output {
>          type filter hook output priority 0;
>      }
> }
> table nat {
>      chain output {
>          type nat hook output priority -100;
>      }
>      chain prerouting {
>          type nat hook prerouting priority -100;
>      }
>      chain postrouting {
>          type nat hook postrouting priority 100;
>          ip saddr 10.164.123.0/24  oif enp1s0 counter snat MY_SERVERS_INTERNET_IP comment "snat/static ip"
>      }
> }
> 

-- 
Calum Mackay
Linux Kernel Engineering
Oracle Linux and Virtualisation