* recipe/example for nftables supporting Internet nfs4?
@ 2024-07-23 19:53 linux-nfs
2024-07-23 21:28 ` Calum Mackay
0 siblings, 1 reply; 4+ messages in thread
From: linux-nfs @ 2024-07-23 19:53 UTC (permalink / raw)
To: linux-nfs
I have a fedora server on Internet sharing out NFS; working ok for 3+years w/firewalld. I'm going w/pure nftables on a new server. Does anyone have a recipe/example for setting up an NFS server using nftables?
thank-you
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: recipe/example for nftables supporting Internet nfs4?
2024-07-23 19:53 recipe/example for nftables supporting Internet nfs4? linux-nfs
@ 2024-07-23 21:28 ` Calum Mackay
2024-07-24 16:17 ` recipe/example | nftables for Internet nfs4? << iif enp1s0 tcp dport 2049 counter accept comment "allow nfs" linux-nfs
0 siblings, 1 reply; 4+ messages in thread
From: Calum Mackay @ 2024-07-23 21:28 UTC (permalink / raw)
To: linux-nfs, linux-nfs; +Cc: Calum Mackay
On 23/07/2024 8:53 pm, linux-nfs@trodman.com wrote:
> I have a fedora server on Internet sharing out NFS; working ok for 3+years w/firewalld. I'm going w/pure nftables on a new server. Does anyone have a recipe/example for setting up an NFS server using nftables?
I'm still stuck on iptables, but I imagine it ought to be something
simple like adding this to your NFSv4 server's inbound chain:
tcp dport 2049 accept
assuming you have a default accept policy on your outbound chain.
That's just for NFSv4 over TCP, of course. And you might want to add ct
connection tracking state, etc.
best wishes,
calum.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: recipe/example | nftables for Internet nfs4? << iif enp1s0 tcp dport 2049 counter accept comment "allow nfs"
2024-07-23 21:28 ` Calum Mackay
@ 2024-07-24 16:17 ` linux-nfs
2024-07-24 23:59 ` Calum Mackay
0 siblings, 1 reply; 4+ messages in thread
From: linux-nfs @ 2024-07-24 16:17 UTC (permalink / raw)
To: linux-nfs
On Tue 7/23/24 22:28 +0100 Calum Mackay wrote:
>On 23/07/2024 8:53 pm, linux-nfs@trodman.com wrote:
>> I have a fedora server on Internet sharing out NFS; working ok for 3+years w/firewalld. I'm going w/pure nftables on a new server. Does anyone have a recipe/example for setting up an NFS server using nftables?
>
>I'm still stuck on iptables, but I imagine it ought to be something
>simple like adding this to your NFSv4 server's inbound chain:
>
> tcp dport 2049 accept
>
>assuming you have a default accept policy on your outbound chain.
>
>That's just for NFSv4 over TCP, of course. And you might want to add ct
>connection tracking state, etc.
Thank you Calum.
As you suggested, I added:
iif enp1s0 tcp dport 2049 counter accept comment "allow nfs"
I then tried mount -v ... and it got farther but failed
mount.nfs4: mount(2): Permission denied
Then I restarted nftables.service, It worked!
--
thanks!
Tom
--8<---------------cut here---------------start------------->8---
# cat /etc/sysconfig/nftables.conf |_rmcm ## comments stripped. enp1s0 faces Internet
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0;
iif enp1s0 tcp dport {ssh} counter accept comment "allow ssh"
iif enp1s0 tcp dport {http, https} counter accept comment "allow http, https"
iif enp1s0 tcp dport 2049 counter accept comment "allow nfs"
iif enp1s0 tcp dport {smtp} counter accept comment "smtp"
iif enp1s0 ct state {established, related} counter accept comment "allow established Internet packets"
iif enp1s0 counter drop comment "dropped Internet packets"
iif enp2s0 accept comment "allow local packets"
}
chain forward {
type filter hook forward priority 0;
iif enp1s0 oif enp2s0 ct state {established, related} counter accept comment "allow Internet est/relat"
iif enp2s0 oif enp1s0 counter accept comment "allow lan to Internet"
iif enp1s0 drop
}
chain output {
type filter hook output priority 0;
}
}
table nat {
chain output {
type nat hook output priority -100;
}
chain prerouting {
type nat hook prerouting priority -100;
}
chain postrouting {
type nat hook postrouting priority 100;
ip saddr 10.164.123.0/24 oif enp1s0 counter snat MY_SERVERS_INTERNET_IP comment "snat/static ip"
}
}
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: recipe/example | nftables for Internet nfs4? << iif enp1s0 tcp dport 2049 counter accept comment "allow nfs"
2024-07-24 16:17 ` recipe/example | nftables for Internet nfs4? << iif enp1s0 tcp dport 2049 counter accept comment "allow nfs" linux-nfs
@ 2024-07-24 23:59 ` Calum Mackay
0 siblings, 0 replies; 4+ messages in thread
From: Calum Mackay @ 2024-07-24 23:59 UTC (permalink / raw)
To: linux-nfs, linux-nfs; +Cc: Calum Mackay
On 24/07/2024 5:17 pm, linux-nfs@trodman.com wrote:
> On Tue 7/23/24 22:28 +0100 Calum Mackay wrote:
>> On 23/07/2024 8:53 pm, linux-nfs@trodman.com wrote:
>>> I have a fedora server on Internet sharing out NFS; working ok for 3+years w/firewalld. I'm going w/pure nftables on a new server. Does anyone have a recipe/example for setting up an NFS server using nftables?
>>
>> I'm still stuck on iptables, but I imagine it ought to be something
>> simple like adding this to your NFSv4 server's inbound chain:
>>
>> tcp dport 2049 accept
>>
>> assuming you have a default accept policy on your outbound chain.
>>
>> That's just for NFSv4 over TCP, of course. And you might want to add ct
>> connection tracking state, etc.
>
> Thank you Calum.
>
> As you suggested, I added:
>
> iif enp1s0 tcp dport 2049 counter accept comment "allow nfs"
>
> I then tried mount -v ... and it got farther but failed
>
> mount.nfs4: mount(2): Permission denied
>
> Then I restarted nftables.service, It worked!
That's great, Tom; thanks for letting me know, and for the detail below.
One point: you should be able to change the numeric port "2049" to the
service "{nfs}", to make it more in line with your other services, if
you prefer.
best wishes,
calum.
>
> --
> thanks!
> Tom
>
> --8<---------------cut here---------------start------------->8---
> # cat /etc/sysconfig/nftables.conf |_rmcm ## comments stripped. enp1s0 faces Internet
> flush ruleset
> table inet filter {
> chain input {
> type filter hook input priority 0;
> iif enp1s0 tcp dport {ssh} counter accept comment "allow ssh"
> iif enp1s0 tcp dport {http, https} counter accept comment "allow http, https"
> iif enp1s0 tcp dport 2049 counter accept comment "allow nfs"
> iif enp1s0 tcp dport {smtp} counter accept comment "smtp"
> iif enp1s0 ct state {established, related} counter accept comment "allow established Internet packets"
> iif enp1s0 counter drop comment "dropped Internet packets"
> iif enp2s0 accept comment "allow local packets"
> }
> chain forward {
> type filter hook forward priority 0;
> iif enp1s0 oif enp2s0 ct state {established, related} counter accept comment "allow Internet est/relat"
> iif enp2s0 oif enp1s0 counter accept comment "allow lan to Internet"
> iif enp1s0 drop
> }
> chain output {
> type filter hook output priority 0;
> }
> }
> table nat {
> chain output {
> type nat hook output priority -100;
> }
> chain prerouting {
> type nat hook prerouting priority -100;
> }
> chain postrouting {
> type nat hook postrouting priority 100;
> ip saddr 10.164.123.0/24 oif enp1s0 counter snat MY_SERVERS_INTERNET_IP comment "snat/static ip"
> }
> }
>
--
Calum Mackay
Linux Kernel Engineering
Oracle Linux and Virtualisation
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-07-24 23:59 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-07-23 19:53 recipe/example for nftables supporting Internet nfs4? linux-nfs
2024-07-23 21:28 ` Calum Mackay
2024-07-24 16:17 ` recipe/example | nftables for Internet nfs4? << iif enp1s0 tcp dport 2049 counter accept comment "allow nfs" linux-nfs
2024-07-24 23:59 ` Calum Mackay
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox