Configuring an NFS Server
NFS (Network File System) is a protocol that allows to export a filesystem to other remote machines, where it can be mounted like a local disk. While Samba is probably better for domestic use (more available clients, printer sharing), NFS is better for sharing partitions across servers. Actually, you will find NFS easier to configure than Samba, and if you don't need to share printers, and your computers are Unix based (Mac or Linux, basically), I think it's better than Samba even for domestic use.
First of all, we need to install portmap if it's not installed already (if you have a window manager, such as GNOME, it will be already installed).
europa:~# apt-get install portmap
The next step is checking whether it accepts connections other than from 127.0.0.1. To do so, we have to check /etc/default/portmap, commenting the following line if it exists:
#OPTIONS="-i 127.0.0.1"
Later on, we will firewall portmap. Now, we can restart the service as usual.
europa:~# /etc/init.d/portmap restart
Stopping portmap daemon....
Starting portmap daemon....
The following command will install both NFS server and client in deb-based systems:
europa:~# apt-get install nfs-kernel-server nfs-common
Once installed, we need to provide the NFS server with the shares we want. The file we need to edit is /etc/exports. Here's an example:
/home/user 192.168.1.3(rw,sync,no_subtree_check)
/directory_to_export 192.168.1.2(ro,sync,no_subtree_check) 192.168.1.5(rw,sync,no_subtree_check)
The first line will export the directory /home/user, allowing access to 192.168.1.3, with read and write permissions.
The second line will export the directory /directory_to_export, allowing read only access to 192.168.1.2 and read and write access to 192.168.1.5.
Once we have configured our exports, we need to run exportfs to update the configuration:
europa:~# exportfs -a
Mounting a share from a client (supposing our server is 192.168.1.1, and that we are connecting to /home/user) is as easy as:
scherie:~# mount -t nfs 192.168.1.1:/home/user /mnt/home
Or we can add it to /etc/fstab as a regular partition:
192.168.1.1:/home/user /mnt/home nfs defaults 0 0
The last we should do is reject access to portmap and the NFS server (even if nobody will be able to export a directory since they are not on the exports file).
This will allow localhost and 192.168.1.2 to connect to portmap, and reject everyone else. You can obviously use a range in the source to allow an entire LAN.
europa:~# iptables -t filter -A INPUT -s 127.0.0.1 -p tcp -m tcp --dport 111 -j ACCEPT
europa:~# iptables -t filter -A INPUT -s 127.0.0.1 -p udp -m udp --dport 111 -j ACCEPT
europa:~# iptables -t filter -A INPUT -s 192.168.1.2 -p tcp m tcp --dport 111 -j ACCEPT
europa:~# iptables -t filter -A INPUT -s 192.168.1.2 -p udp -m udp --dport 111 -j ACCEPT
europa:~# iptables -t filter -A INPUT -p tcp -m tcp --dport 111 -j REJECT --reject-with icmp-port-unreachable
europa:~# iptables -t filter -A INPUT -p udp -m udp --dport 111 -j REJECT --reject-with icmp-port-unreachable
This will do the same thing with the NFS server.
europa:~# iptables -t filter -A INPUT -s 127.0.0.1 -p tcp -m tcp --dport 2049 -j ACCEPT
europa:~# iptables -t filter -A INPUT -s 127.0.0.1 -p udp -m udp --dport 2049 j ACCEPT
europa:~# iptables -t filter -A INPUT -s 192.168.1.2 -p tcp m tcp --dport 2049 -j ACCEPT
europa:~# iptables -t filter -A INPUT -s 192.168.1.2 -p udp -m udp --dport 2049 -j ACCEPT
europa:~# iptables -t filter -A INPUT -p tcp -m tcp --dport 2049 -j REJECT --reject-with icmp-port-unreachable
europa:~# iptables -t filter -A INPUT -p udp -m udp --dport 2049 -j REJECT --reject-with icmp-port-unreachable
First of all, we need to install portmap if it's not installed already (if you have a window manager, such as GNOME, it will be already installed).
europa:~# apt-get install portmap
The next step is checking whether it accepts connections other than from 127.0.0.1. To do so, we have to check /etc/default/portmap, commenting the following line if it exists:
#OPTIONS="-i 127.0.0.1"
Later on, we will firewall portmap. Now, we can restart the service as usual.
europa:~# /etc/init.d/portmap restart
Stopping portmap daemon....
Starting portmap daemon....
The following command will install both NFS server and client in deb-based systems:
europa:~# apt-get install nfs-kernel-server nfs-common
Once installed, we need to provide the NFS server with the shares we want. The file we need to edit is /etc/exports. Here's an example:
/home/user 192.168.1.3(rw,sync,no_subtree_check)
/directory_to_export 192.168.1.2(ro,sync,no_subtree_check) 192.168.1.5(rw,sync,no_subtree_check)
The first line will export the directory /home/user, allowing access to 192.168.1.3, with read and write permissions.
The second line will export the directory /directory_to_export, allowing read only access to 192.168.1.2 and read and write access to 192.168.1.5.
Once we have configured our exports, we need to run exportfs to update the configuration:
europa:~# exportfs -a
Mounting a share from a client (supposing our server is 192.168.1.1, and that we are connecting to /home/user) is as easy as:
scherie:~# mount -t nfs 192.168.1.1:/home/user /mnt/home
Or we can add it to /etc/fstab as a regular partition:
192.168.1.1:/home/user /mnt/home nfs defaults 0 0
The last we should do is reject access to portmap and the NFS server (even if nobody will be able to export a directory since they are not on the exports file).
This will allow localhost and 192.168.1.2 to connect to portmap, and reject everyone else. You can obviously use a range in the source to allow an entire LAN.
europa:~# iptables -t filter -A INPUT -s 127.0.0.1 -p tcp -m tcp --dport 111 -j ACCEPT
europa:~# iptables -t filter -A INPUT -s 127.0.0.1 -p udp -m udp --dport 111 -j ACCEPT
europa:~# iptables -t filter -A INPUT -s 192.168.1.2 -p tcp m tcp --dport 111 -j ACCEPT
europa:~# iptables -t filter -A INPUT -s 192.168.1.2 -p udp -m udp --dport 111 -j ACCEPT
europa:~# iptables -t filter -A INPUT -p tcp -m tcp --dport 111 -j REJECT --reject-with icmp-port-unreachable
europa:~# iptables -t filter -A INPUT -p udp -m udp --dport 111 -j REJECT --reject-with icmp-port-unreachable
This will do the same thing with the NFS server.
europa:~# iptables -t filter -A INPUT -s 127.0.0.1 -p tcp -m tcp --dport 2049 -j ACCEPT
europa:~# iptables -t filter -A INPUT -s 127.0.0.1 -p udp -m udp --dport 2049 j ACCEPT
europa:~# iptables -t filter -A INPUT -s 192.168.1.2 -p tcp m tcp --dport 2049 -j ACCEPT
europa:~# iptables -t filter -A INPUT -s 192.168.1.2 -p udp -m udp --dport 2049 -j ACCEPT
europa:~# iptables -t filter -A INPUT -p tcp -m tcp --dport 2049 -j REJECT --reject-with icmp-port-unreachable
europa:~# iptables -t filter -A INPUT -p udp -m udp --dport 2049 -j REJECT --reject-with icmp-port-unreachable
