next up previous contents
Next: NFS Client 端設定 Up: Network File System, NFS Previous: 查詢與變更   Contents

安全機制

  1. 查詢 nfs ports
    [root@kvm8 ~]# rpcinfo -p 192.168.122.8
       program vers proto   port  service
        100000    4   tcp    111  portmapper
        100000    3   tcp    111  portmapper
        100000    2   tcp    111  portmapper
        100000    4   udp    111  portmapper
        100000    3   udp    111  portmapper
        100000    2   udp    111  portmapper
        100024    1   udp  55661  status
        100024    1   tcp  46633  status
        100003    2   tcp   2049  nfs
        100003    3   tcp   2049  nfs
        100003    4   tcp   2049  nfs
        100227    2   tcp   2049  nfs_acl
        100227    3   tcp   2049  nfs_acl
        100003    2   udp   2049  nfs
        100003    3   udp   2049  nfs
        100003    4   udp   2049  nfs
        100227    2   udp   2049  nfs_acl
        100227    3   udp   2049  nfs_acl
        100021    1   udp  37591  nlockmgr
        100021    3   udp  37591  nlockmgr
        100021    4   udp  37591  nlockmgr
        100021    1   tcp  50290  nlockmgr
        100021    3   tcp  50290  nlockmgr
        100021    4   tcp  50290  nlockmgr
        100005    1   udp    892  mountd
        100005    1   tcp    892  mountd
        100005    2   udp    892  mountd
        100005    2   tcp    892  mountd
        100005    3   udp    892  mountd
        100005    3   tcp    892  mountd
    

  2. 查詢 nfs tcp ports
    [root@kvm8 ~]# rpcinfo -p 192.168.122.8 | grep tcp |awk '{print $4}' |sort -u
    111
    2049
    42586
    46633
    46697
    46790
    49698
    

  3. 查詢 nfs udp ports
    [root@kvm8 ~]# rpcinfo -p 192.168.122.8 | grep udp |awk '{print $4}' |sort -u
    111
    2049
    37474
    43938
    49830
    55661
    57818
    

  4. 指定 rpc mount port
    [root@kvm8 ~]# vim /etc/sysconfig/nfs 
    # Port rpc.mountd should listen on.
    MOUNTD_PORT=892
    

  5. 防火牆設定
    [root@kvm8 ~]# vim /etc/sysconfig/iptables
    -A INPUT -i lo -j ACCEPT
    ######################################################
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 892 -j ACCEPT
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT
    
    -A INPUT -m state --state NEW -m udp -p udp --dport 111 -j ACCEPT
    -A INPUT -m state --state NEW -m udp -p udp --dport 2049 -j ACCEPT
    ######################################################
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
    

  6. 防火牆重新啟動
    [root@kvm8 ~]# /etc/init.d/iptables restart
    
  7. 開機啟動防火牆
    [root@kvm8 ~]# chkconfig iptables on
    
  8. 測試 nfs 掛載
    [root@dyH ~]# showmount -e kvm8.deyu.wang
    Export list for kvm8.deyu.wang:
    /home 192.168.122.0/24
    
    [root@dyH ~]# mount -t nfs -o nfsvers=4 kvm8.deyu.wang:/home /mnt/home
    [root@dyH ~]# ll /mnt/home/
    total 19
    drwxr-xr-x. 5 nobody nobody  1024 Aug  1 19:49 deyu1
    drwx------. 4 nobody nobody  1024 Aug  1 14:56 deyu2
    drwx------. 4 nobody nobody  1024 Aug  1 14:56 deyu3
    drwx------. 2 root   root   12288 Aug  1 11:40 lost+found
    



De-Yu Wang 2018-09-25