* recipe/example for nftables supporting Internet nfs4? @ 2024-07-23 19:53 linux-nfs 2024-07-23 21:28 ` Calum Mackay 0 siblings, 1 reply; 4+ messages in thread From: linux-nfs @ 2024-07-23 19:53 UTC (permalink / raw) To: linux-nfs I have a fedora server on Internet sharing out NFS; working ok for 3+years w/firewalld. I'm going w/pure nftables on a new server. Does anyone have a recipe/example for setting up an NFS server using nftables? thank-you ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: recipe/example for nftables supporting Internet nfs4? 2024-07-23 19:53 recipe/example for nftables supporting Internet nfs4? linux-nfs @ 2024-07-23 21:28 ` Calum Mackay 2024-07-24 16:17 ` recipe/example | nftables for Internet nfs4? << iif enp1s0 tcp dport 2049 counter accept comment "allow nfs" linux-nfs 0 siblings, 1 reply; 4+ messages in thread From: Calum Mackay @ 2024-07-23 21:28 UTC (permalink / raw) To: linux-nfs, linux-nfs; +Cc: Calum Mackay On 23/07/2024 8:53 pm, linux-nfs@trodman.com wrote: > I have a fedora server on Internet sharing out NFS; working ok for 3+years w/firewalld. I'm going w/pure nftables on a new server. Does anyone have a recipe/example for setting up an NFS server using nftables? I'm still stuck on iptables, but I imagine it ought to be something simple like adding this to your NFSv4 server's inbound chain: tcp dport 2049 accept assuming you have a default accept policy on your outbound chain. That's just for NFSv4 over TCP, of course. And you might want to add ct connection tracking state, etc. best wishes, calum. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: recipe/example | nftables for Internet nfs4? << iif enp1s0 tcp dport 2049 counter accept comment "allow nfs" 2024-07-23 21:28 ` Calum Mackay @ 2024-07-24 16:17 ` linux-nfs 2024-07-24 23:59 ` Calum Mackay 0 siblings, 1 reply; 4+ messages in thread From: linux-nfs @ 2024-07-24 16:17 UTC (permalink / raw) To: linux-nfs On Tue 7/23/24 22:28 +0100 Calum Mackay wrote: >On 23/07/2024 8:53 pm, linux-nfs@trodman.com wrote: >> I have a fedora server on Internet sharing out NFS; working ok for 3+years w/firewalld. I'm going w/pure nftables on a new server. Does anyone have a recipe/example for setting up an NFS server using nftables? > >I'm still stuck on iptables, but I imagine it ought to be something >simple like adding this to your NFSv4 server's inbound chain: > > tcp dport 2049 accept > >assuming you have a default accept policy on your outbound chain. > >That's just for NFSv4 over TCP, of course. And you might want to add ct >connection tracking state, etc. Thank you Calum. As you suggested, I added: iif enp1s0 tcp dport 2049 counter accept comment "allow nfs" I then tried mount -v ... and it got farther but failed mount.nfs4: mount(2): Permission denied Then I restarted nftables.service, It worked! -- thanks! Tom --8<---------------cut here---------------start------------->8--- # cat /etc/sysconfig/nftables.conf |_rmcm ## comments stripped. enp1s0 faces Internet flush ruleset table inet filter { chain input { type filter hook input priority 0; iif enp1s0 tcp dport {ssh} counter accept comment "allow ssh" iif enp1s0 tcp dport {http, https} counter accept comment "allow http, https" iif enp1s0 tcp dport 2049 counter accept comment "allow nfs" iif enp1s0 tcp dport {smtp} counter accept comment "smtp" iif enp1s0 ct state {established, related} counter accept comment "allow established Internet packets" iif enp1s0 counter drop comment "dropped Internet packets" iif enp2s0 accept comment "allow local packets" } chain forward { type filter hook forward priority 0; iif enp1s0 oif enp2s0 ct state {established, related} counter accept comment "allow Internet est/relat" iif enp2s0 oif enp1s0 counter accept comment "allow lan to Internet" iif enp1s0 drop } chain output { type filter hook output priority 0; } } table nat { chain output { type nat hook output priority -100; } chain prerouting { type nat hook prerouting priority -100; } chain postrouting { type nat hook postrouting priority 100; ip saddr 10.164.123.0/24 oif enp1s0 counter snat MY_SERVERS_INTERNET_IP comment "snat/static ip" } } ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: recipe/example | nftables for Internet nfs4? << iif enp1s0 tcp dport 2049 counter accept comment "allow nfs" 2024-07-24 16:17 ` recipe/example | nftables for Internet nfs4? << iif enp1s0 tcp dport 2049 counter accept comment "allow nfs" linux-nfs @ 2024-07-24 23:59 ` Calum Mackay 0 siblings, 0 replies; 4+ messages in thread From: Calum Mackay @ 2024-07-24 23:59 UTC (permalink / raw) To: linux-nfs, linux-nfs; +Cc: Calum Mackay On 24/07/2024 5:17 pm, linux-nfs@trodman.com wrote: > On Tue 7/23/24 22:28 +0100 Calum Mackay wrote: >> On 23/07/2024 8:53 pm, linux-nfs@trodman.com wrote: >>> I have a fedora server on Internet sharing out NFS; working ok for 3+years w/firewalld. I'm going w/pure nftables on a new server. Does anyone have a recipe/example for setting up an NFS server using nftables? >> >> I'm still stuck on iptables, but I imagine it ought to be something >> simple like adding this to your NFSv4 server's inbound chain: >> >> tcp dport 2049 accept >> >> assuming you have a default accept policy on your outbound chain. >> >> That's just for NFSv4 over TCP, of course. And you might want to add ct >> connection tracking state, etc. > > Thank you Calum. > > As you suggested, I added: > > iif enp1s0 tcp dport 2049 counter accept comment "allow nfs" > > I then tried mount -v ... and it got farther but failed > > mount.nfs4: mount(2): Permission denied > > Then I restarted nftables.service, It worked! That's great, Tom; thanks for letting me know, and for the detail below. One point: you should be able to change the numeric port "2049" to the service "{nfs}", to make it more in line with your other services, if you prefer. best wishes, calum. > > -- > thanks! > Tom > > --8<---------------cut here---------------start------------->8--- > # cat /etc/sysconfig/nftables.conf |_rmcm ## comments stripped. enp1s0 faces Internet > flush ruleset > table inet filter { > chain input { > type filter hook input priority 0; > iif enp1s0 tcp dport {ssh} counter accept comment "allow ssh" > iif enp1s0 tcp dport {http, https} counter accept comment "allow http, https" > iif enp1s0 tcp dport 2049 counter accept comment "allow nfs" > iif enp1s0 tcp dport {smtp} counter accept comment "smtp" > iif enp1s0 ct state {established, related} counter accept comment "allow established Internet packets" > iif enp1s0 counter drop comment "dropped Internet packets" > iif enp2s0 accept comment "allow local packets" > } > chain forward { > type filter hook forward priority 0; > iif enp1s0 oif enp2s0 ct state {established, related} counter accept comment "allow Internet est/relat" > iif enp2s0 oif enp1s0 counter accept comment "allow lan to Internet" > iif enp1s0 drop > } > chain output { > type filter hook output priority 0; > } > } > table nat { > chain output { > type nat hook output priority -100; > } > chain prerouting { > type nat hook prerouting priority -100; > } > chain postrouting { > type nat hook postrouting priority 100; > ip saddr 10.164.123.0/24 oif enp1s0 counter snat MY_SERVERS_INTERNET_IP comment "snat/static ip" > } > } > -- Calum Mackay Linux Kernel Engineering Oracle Linux and Virtualisation ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-07-24 23:59 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2024-07-23 19:53 recipe/example for nftables supporting Internet nfs4? linux-nfs 2024-07-23 21:28 ` Calum Mackay 2024-07-24 16:17 ` recipe/example | nftables for Internet nfs4? << iif enp1s0 tcp dport 2049 counter accept comment "allow nfs" linux-nfs 2024-07-24 23:59 ` Calum Mackay
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox