How to Export an NFSv4 Server to External Networks
We ever discussed fixing ports used by NFSv3 so that it can be easily exported to external networks. For NFSv4.1 or higher, things are much easier. The ports for mountd, statd, and lockd are not required in a pure NFSv4 environment. We have less ports to control or allow for connections. Only port 111 and 2049 need to be taken care of for NFSv4. In this post, we will discuss how to export NFSv4 to external networks.
In this tutorial’s example, we assume
- the external network is 192.168.0.0/16
- the gateway’s external network IP is 192.168.1.100
- the NFS server’s private/internal IP is 10.2.2.2
If you are running on a different network configuration, please replace these IPs in the following command with you IPs.
Steps to export an NFSv4 are as follows.
Set up port forwarding on the gateway
On the gateway, run
# iptables -t nat -A PREROUTING -d 192.168.1.100/32 -p tcp -m tcp --dport 2049 -j DNAT --to-destination 10.2.2.2:2049
# iptables -t nat -A PREROUTING -d 192.168.1.100/32 -p udp -m udp --dport 2049 -j DNAT --to-destination 10.2.2.2:2049
# iptables -t nat -A PREROUTING -d 192.168.1.100/32 -p tcp -m tcp --dport 111 -j DNAT --to-destination 10.2.2.2:111
# iptables -t nat -A PREROUTING -d 192.168.1.100/32 -p udp -m udp --dport 111 -j DNAT --to-destination 10.2.2.2:111to export the port 2049 and 111.
Note: the rules are in memory only. Please remember to save the iptables rules after it is tested working following your gateway host’s iptables management.
Allow external network IPs in the NFSv4 server
On the NFSv4 server:
Add this line (exactly the same; exports requirement is strict)
/nfs/data 192.168.0.0/16(rw,no_root_squash)to /etc/exports
and then run
# exportfs -ato make it take effect
You can check the exported FS by running exportfs. It should show something like
/nfs/data
10.2.0.0/16
/nfs/data
192.168.0.0/16Mount the NFS
Then, on another node in the external network, you can mount the /nfs/data by
# mount 192.168.1.100:/nfs/data /nfsThen you can use the NFS exported from the private network. Enjoy!
What about routing?
The source-address remains the same, so the routing table of the internal nfs-server is important – isn’t it?
Are there any additional routing configurations at the gateway?
Regards
Markus
In the environment where this works as stated at the beginning part, the ‘gateway’ should already have been configured as a gateway including its routing rules, iptables rules, network cables/interfaces and etc. This post does not cover that part of configuring a gateway.
Solved it with an SNAT entry in POSTROUTING. Works, but kind of slow. Need to analyze if its the iptables-Part or the load or the network.
Thanks
Markus