參考網站:
鳥哥的 Linux 私房菜 — NFS 伺服器
CentOS 7 NFS服务器和客户端设置 – 阿泰的菜园
How to setup NFS Server on CentOS 7 / RHEL 7 / Fedora 22
NFS issue Behind iptables in Centos 7 – Server Fault
# /usr/sbin/rpcinfo -p
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 33438 status
100024 1 tcp 45447 status
100005 1 udp 1002 mountd
100005 1 tcp 1002 mountd
100005 2 udp 1002 mountd
100005 2 tcp 1002 mountd
100005 3 udp 1002 mountd
100005 3 tcp 1002 mountd
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100227 3 tcp 2049 nfs_acl
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100227 3 udp 2049 nfs_acl
100021 1 udp 58234 nlockmgr
100021 3 udp 58234 nlockmgr
100021 4 udp 58234 nlockmgr
100021 1 tcp 33450 nlockmgr
100021 3 tcp 33450 nlockmgr
100021 4 tcp 33450 nlockmgr
稍微整理一下,其中 tcp/udp 111 及 tcp/udp 2049 是固定的,其它則會變動
# /usr/sbin/rpcinfo -p | awk ‘{print $3,$4,$5}’ | sort | uniq
proto port service
tcp 111 portmapper
tcp 2049 nfs
tcp 2049 nfs_acl
tcp 33450 nlockmgr
tcp 45447 status
tcp 1002 mountd
udp 111 portmapper
udp 2049 nfs
udp 2049 nfs_acl
udp 58234 nlockmgr
udp 33438 status
udp 1002 mountd
[@more@]使用 firewalld 防火牆
# /usr/bin/firewall-cmd –permanent –zone public –add-service mountd
# /usr/bin/firewall-cmd –permanent –zone public –add-service rpc-bind
# /usr/bin/firewall-cmd –permanent –zone public –add-service nfs
# /usr/bin/firewall-cmd –reload
不過個人比較習慣使用原有的 iptables 防火牆,所以底下改用固定 NFS Server Port 的方式處理
備份原檔 /etc/sysconfig/nfs
# cp /etc/sysconfig/nfs /etc/sysconfig/nfs.$(date +%F)
修改設定檔 /etc/sysconfig/nfs
# grep PORT /etc/sysconfig/nfs
LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
STATD_PORT=662
STATD_OUTGOING_PORT=2020
重新啟動 NFS Server
# systemctl restart nfs-server
如果 nlockmgr Port 還是無法固定,則要修改 /etc/sysctl.conf
# cp /etc/sysctl.conf /etc/sysctl.conf.$(date +%F)
加入下面二行
fs.nfs.nlm_tcpport=32803
fs.nfs.nlm_udpport=32769
# sed -i ‘$a fs.nfs.nlm_tcpport=32803nfs.nfs.nlm_udpport=32769’ /etc/sysctl.conf
讓設定生效
# sysctl -p
再次檢查所使用的 Port 是否有固定
# /usr/sbin/rpcinfo -p
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 662 status
100024 1 tcp 662 status
100005 1 udp 892 mountd
100005 1 tcp 892 mountd
100005 2 udp 892 mountd
100005 2 tcp 892 mountd
100005 3 udp 892 mountd
100005 3 tcp 892 mountd
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100227 3 tcp 2049 nfs_acl
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100227 3 udp 2049 nfs_acl
100021 1 udp 32769 nlockmgr
100021 3 udp 32769 nlockmgr
100021 4 udp 32769 nlockmgr
100021 1 tcp 32803 nlockmgr
100021 3 tcp 32803 nlockmgr
100021 4 tcp 32803 nlockmgr
# /usr/sbin/rpcinfo -p | awk ‘{print $3,$4,$5}’ | sort | uniq
proto port service
tcp 111 portmapper
tcp 2049 nfs
tcp 2049 nfs_acl
tcp 32803 nlockmgr
tcp 662 status
tcp 892 mountd
udp 111 portmapper
udp 2049 nfs
udp 2049 nfs_acl
udp 32769 nlockmgr
udp 662 status
udp 892 mountd
使用 firewalld 防火牆
# /usr/bin/firewall-cmd –permanent –add-port=111/tcp
# /usr/bin/firewall-cmd –permanent –add-port=111/udp
# /usr/bin/firewall-cmd –permanent –add-port=662/tcp
# /usr/bin/firewall-cmd –permanent –add-port=662/udp
# /usr/bin/firewall-cmd –permanent –add-port=892/tcp
# /usr/bin/firewall-cmd –permanent –add-port=892/udp
# /usr/bin/firewall-cmd –permanent –add-port=2049/tcp
# /usr/bin/firewall-cmd –permanent –add-port=2049/udp
# /usr/bin/firewall-cmd –permanent –add-port=32803/tcp
# /usr/bin/firewall-cmd –permanent –add-port=32769/udp
# /usr/bin/firewall-cmd –reload
使用 iptables 防火牆
# /usr/sbin/iptables -A INPUT -i eth0 -p tcp -s 192.168.1.0/24 -m multiport –dport 111,2049,662,892,32803 -j ACCEPT
# /usr/sbin/iptables -A INPUT -i eth0 -p udp -s 192.168.1.0/24 -m multiport –dport 111,2049,662,892,32769 -j ACCEPT