实验环境:vmware7.1+RHEL5.2+selinux(enforce)+iptables(ALL
DROP)
[root@rhel5server ~]# uname -r2.6.18-92.el5
实验操作:修改配置文件/etc/sysconfig/nfs,其中的部分参数我按文件默认给出的值,仅仅只是把前面的注释去掉而已。如果默认参数跟/etc/services文件中某个服务使用的端口相同的话,则自己挑了个没有在该文件中定义的端口:
[root@rhel5server ~]# vim
/etc/sysconfig/nfsRQUOTAD_PORT=875
LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
#STATD_PORT=662是默认参数,但是在/etc/services中有定义了,所以换了个10005
STATD_PORT=10005
#STATD_OUTGOING_PORT=2020是默认参数,在/etc/services中也定义了,所以换了个10006
STATD_OUTGOING_PORT=10006
再检查一下看看有没有跟/etc/services文件中定义的重复:
[root@rhel5server ~]# egrep '875|32803|32796|892|10005|10006'
/etc/serviceswestell-stats
1875/tcp #
westell stats
westell-stats
1875/udp #
westell stats
childkey-ctrl
1892/tcp #
ChildKey Control
childkey-ctrl
1892/udp #
ChildKey Control
dxmessagebase2
2875/tcp #
dxmessagebase2
dxmessagebase2
2875/udp #
dxmessagebase2
snifferdata
2892/tcp #
SNIFFERDATA
snifferdata
2892/udp #
SNIFFERDATA
pnbscada
3875/tcp #
PNBSCADA
pnbscada
3875/udp #
PNBSCADA
pcc-image-port
3892/tcp #
PCC-image-port
pcc-image-port
3892/udp #
PCC-image-port
ddi-tcp-5
8892/tcp #
Desktop Data TCP 4: FARM product
ddi-udp-5
8892/udp #
Desktop Data UDP 4: FARM product
sapv1 9875/tcp #
Session Announcement v1
sapv1 9875/udp #
Session Announcement v1
没有重复
再看看nfs使用的端口:
[root@rhel5server ~]# grep 'nfs' /etc/servicesnfs 2049/tcp
nfsd
nfs 2049/udp
nfsdnfsd-status
1110/tcp #
Cluster status info
nfsd-keepalive
1110/udp #
Client status info
picknfs 1598/tcp #
picknfs
picknfs 1598/udp #
picknfs
shiva_confsrvr
1651/tcp #
shiva_confsrvr
shiva_confsrvr
1651/udp #
shiva_confsrvr
3d-nfsd 2323/tcp #
3d-nfsd
3d-nfsd 2323/udp #
3d-nfsd
mediacntrlnfsd
2363/tcp #
Media Central NFSD
mediacntrlnfsd
2363/udp #
Media Central NFSD
根据以上的配置,那么iptables防火墙脚本文件如下设置:
[root@rhel5server scripts]# cat
fw-nfs.sh#!/bin/bash
#设置默认策略,先全部清空,再全部拒绝
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#下面单独开放
#开放回环网卡lo
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#开放ping
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
#开放ping域名
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
#开放ssh
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
#nfs portmap,nfs,mountd,lockd,rquotad,statd
iptables -A INPUT -p tcp -m multiport --dports
111,2049,892,32803,875,10005,10006 -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --sports
111,2049,892,32803,875,10005,10006 -j ACCEPT
iptables -A INPUT -p udp -m multiport --dports
111,2049,892,32796,875,10005,10006 -j ACCEPT
iptables -A OUTPUT -p udp -m multiport --sports
111,2049,892,32796,875,10005,10006 -j ACCEPT
[root@rhel5server scripts]# chmod u+x
./fw-nfs.sh[root@rhel5server
scripts]# ./fw-nfs.sh[root@rhel5server
scripts]# service
iptables status表格:filter
Chain INPUT (policy DROP)
num
target prot opt
source destination 1 ACCEPT all --
0.0.0.0/0 0.0.0.0/0 2 ACCEPT icmp --
0.0.0.0/0 0.0.0.0/0 3 ACCEPT udp --
0.0.0.0/0 0.0.0.0/0 udp spt:53 4 ACCEPT tcp --
0.0.0.0/0 0.0.0.0/0 tcp dpt:22 5 ACCEPT tcp --
0.0.0.0/0 0.0.0.0/0 multiport dports
111,2049,892,32803,875,10005,10006 6 ACCEPT udp --
0.0.0.0/0 0.0.0.0/0 multiport dports 111,2049,892,32796,875,10005,10006
Chain FORWARD (policy DROP)
num
target prot opt
source destination
Chain OUTPUT (policy DROP)
num
target prot opt
source destination 1 ACCEPT all --
0.0.0.0/0 0.0.0.0/0 2 ACCEPT icmp --
0.0.0.0/0 0.0.0.0/0 3 ACCEPT udp --
0.0.0.0/0 0.0.0.0/0 udp dpt:53 4 ACCEPT tcp --
0.0.0.0/0 0.0.0.0/0 tcp spt:22 5 ACCEPT tcp --
0.0.0.0/0 0.0.0.0/0 multiport sports
111,2049,892,32803,875,10005,10006 6 ACCEPT udp --
0.0.0.0/0 0.0.0.0/0 multiport sports 111,2049,892,32796,875,10005,10006
表格:nat
Chain PREROUTING (policy ACCEPT)
num
target prot opt
source destination
Chain POSTROUTING (policy ACCEPT)
num
target prot opt
source destination
Chain OUTPUT (policy ACCEPT)
num
target prot opt
source destination 作为测试,nfs配置文件如下:
[root@rhel5server scripts]# cat
/etc/exports/home/users
197.133.133.0/255.255.255.0(rw,insecure,no_root_squash,async)
/jobmgr 197.133.133.0/255.255.255.0(rw,insecure,no_root_squash,async)
/opt 197.133.133.0/255.255.255.0(rw,insecure,no_root_squash,async)
/root/nfs
197.133.133.0/255.255.255.0(rw,insecure,no_root_squash,async)
*(ro)
准备作为nfs共享的目录已经建好,如下:
[root@rhel5server scripts]#ls -ld /home/users /jobmgr /opt
/root/nfsdrwxr-xr-x 2 root root 4096 10-19 14:27
/home/users
drwxr-xr-x 2 root root 4096 10-19 14:27 /jobmgr
drwxr-xr-x 3 root root 4096 10-20 17:11 /opt
drwxr-xr-x 2 root root 4096 10-20 09:35 /root/nfs
先启动portmap服务:
[root@rhel5server scripts]# /etc/init.d/portmap start启动
portmap: [确定]
[root@rhel5server scripts]# rpcinfo -p
localhost 程序 版本
协议 端口
100000 2 tcp 111
portmapper
100000 2 udp 111
portmapper
看看端口侦听情况:
[root@rhel5server scripts]# netstat -tunlpActive Internet
connections (only servers)
Proto Recv-Q Send-Q Local
Address Foreign
Address State PID/Program
name tcp 0 0
0.0.0.0:111 0.0.0.0:* LISTEN 19249/portmap tcp 0 0
127.0.0.1:6010 0.0.0.0:* LISTEN 6128/0