NFSv3 NFSv3针对防火墙端口开通策略 生产环境实践
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了NFSv3 NFSv3针对防火墙端口开通策略 生产环境实践相关的知识,希望对你有一定的参考价值。
针对NFSv4版本需要服务官方说明:
NFS version 4 (NFSv4) works throughfirewalls and on the Internet, no longer requires an rpcbind service, supportsACLs, and utilizes stateful operations. Red Hat Enterprise Linux 6 supportsNFSv2, NFSv3, and NFSv4 clients. When mounting a file system via NFS, Red HatEnterprise Linux uses NFSv4 by default, if the server supports it.
NFS version4(NFSv4)工作是通过防火墙和在互联网上,不再需要一个rpcbind服务,支持acl,利用有状态操作。Red HatEnterprise Linux 6支持NFSv2 NFSv3,NFSv4客户。通过NFS挂载文件系统时,Red HatEnterprise Linux使用NFSv4在默认情况下,如果服务器支持它。
针对NFSv4端口协议官方说明:
Themounting and locking protocols have been incorporated into the NFSv4 protocol.The server also listens on the well-known TCP port 2049. As such, NFSv4 doesnot need to interact with rpcbind [3], lockd, and rpc.statd daemons. Therpc.mountd daemon is required on the NFS server to set up the exports.
安装和锁定协议已经纳入NFSv4协议。该服务也依旧监听著名的TCP端口2049。因此,NFSv4不需要与rpcbind[3],lockd和rpc,statd守护进程交互。mountd守护进程需要在NFS服务器上设置出口。
rpcbind[3]:rpcbind服务替代了portmap,它在以前版本的Red Hat Enterprise Linux中使用,将RPC程序编号映射到IP地址端口号组合。
针对简化防火墙配置,固定端口,官方是建议的。
All theRPC/NFS daemons have a ‘-p‘ command line option that can set the port, makingfirewall configuration easier.
所有的RPC / NFS守护进程的- p命令行选项,可以设置端口,简化防火墙配置。
针对防火墙配置端口官网说明:
In orderfor NFS to work with a default installation of Red Hat Enterprise Linux with afirewall enabled, configure IPTables with the default TCP port 2049. Withoutproper IPTables configuration, NFS will not function properly.
为了让NFS工作在启用了默认安装防火墙的Red Hat Enterprise Linux,使用默认的TCP端口2049配置IPTables。如果没有适当的IPTables配置,NFS将无法正常工作。
需要注意:
允许NFSv4.0回调通过防火墙设置
/proc/sys/fs/nfs/nfs_callback_tcpport
并允许服务器连接到客户机上的端口。
NFSv4.1或更高版本不需要这个过程,在纯NFSv4环境中不需要安装mountd、statd和lockd的其他端口
对于NFSv4官网 一些要求的服务说明
rpc.nfsd
rpc. nfsdallows explicit NFS versions and protocols the server advertises to be defined.It works with the Linux kernel to meet the dynamic demands of NFS clients, suchas providing server threads each time an NFS client connects. This processcorresponds to the nfs service.
rpc。nfsd允许定义服务器广告的显式NFS版本和协议。它与Linux内核一起工作,以满足NFS客户机的动态需求,比如每当NFS客户机连接时提供服务器线程。这个过程对应于nfs服务。该端口为:2049
rpc.mountd
It checksthat the requested NFS share is currently exported by the NFS server, and thatthe client is allowed to access it. If the mount request is allowed, the rpc.mountd server replies with a Success status and provides the File-Handle forthis NFS share back to the NFS client.
它检查所请求的NFS共享当前由NFS服务器导出,并允许客户端访问它。如果挂载请求允许,则rpc。mountd服务器以成功状态回复,并为NFS客户端提供这个NFS共享的文件句柄。改端口需要修改配置文件/etc/sysconfig/nfs配置文件来固定关口。
rpc.idmapd
rpc.idmapd provides NFSv4 client and server upcalls, which map between on-the-wireNFSv4 names (strings in the form of [email protected]) and local UIDs and GIDs. Foridmapd to function with NFSv4, the /etc/idmapd. conf file must be configured.At a minimum, the "Domain" parameter should be specified, whichdefines the NFSv4 mapping domain. If the NFSv4 mapping domain is the same asthe DNS domain name, this parameter can be skipped. The client and server mustagree on the NFSv4 mapping domain for ID mapping to function properly.
rpc。idmapd提供NFSv4客户端和服务器的up调用,它在在线NFSv4名称([email protected]的形式)和本地uid和GIDs之间映射。idmapd与NFSv4(/etc / idmapd)函数必须配置conf文件。至少,应该指定“域”参数,该参数定义了NFSv4映射域。如果NFSv4映射域与DNS域名相同,则可以跳过该参数。客户端和服务器必须在NFSv4映射域上达成一致,以便ID映射能够正常工作。
端口策略测试:
服务端 | Nfs-client | Nfs-server |
Ip | 192.168.42.42 | 192.168.42.43 |
Nfs-server环境:
[[email protected] ~]# head -n 1 /etc/issue
Red Hat Enterprise LinuxServer release 6.6 (Santiago)
[[email protected] ~]# uname -a
Linux ceph32.6.32-504.el6.x86_64 #1 SMP Tue Sep 16 01:56:35 EDT 2014 x86_64 x86_64 x86_64GNU/Linux
[[email protected] ~]# rpm -qa nfs*
nfs-utils-lib-1.1.5-9.el6.x86_64
nfs-utils-1.2.3-54.el6.x86_64
nfs4-acl-tools-0.3.3-6.el6.x86_64
#将服务端rpc服务随机端口固定
[[email protected] ~]# vim/etc/sysconfig/nfs
RQUOTAD_PORT=30001
This process provides user quota informationfor remote users. rpc.rquotad
is started automatically by the nfs
service and does not require user configuration.
这个过程为远程用户提供用户配额信息。rpc。rquotad由nfs服务自动启动,不需要用户配置。
LOCKD_TCPPORT=30002
LOCKD_UDPPORT=30002
lockd
is a kernel thread which runs on both clients and servers. Itimplements the Network Lock Manager (NLM) protocol, which allows NFSv2 andNFSv3 clients to lock files on the server. It is started automatically wheneverthe NFS server is run and whenever an NFS file system is mounted.
lockd是一个在客户端和服务器上运行的内核线程。它实现了Network Lock Manager(NLM)协议,它允许NFSv2和NFSv3客户端锁定服务器上的文件。每当运行NFS服务器时,它就会自动启动,而且只要安装了NFS文件系统。
MOUNTD_PORT=30003
This process is used by an NFS server toprocess MOUNT
requests from NFSv2 and NFSv3 clients. Itchecks that the requested NFS share is currently exported by the NFS server,and that the client is allowed to access it. If the mount request is allowed,the rpc.mountd server replies with a Success
status and provides the File-Handle
for this NFS share back to the NFS client.
这个过程是使用NFS服务器处理请求NFSv2山和NFSv3客户。它检查请求的NFS共享目前出口的NFS服务器,客户端是允许访问它。如果允许发起请求,rpc。mountd服务器回复成功状态并提供NFS共享的文件句柄NFS客户机。
STATD_PORT=30004
This process implements the NetworkStatus Monitor (NSM)RPC protocol, which notifies NFS clients when an NFS server is restartedwithout being gracefully brought down. rpc.statd
is started automatically by the nfslock
service, and does not require userconfiguration. This is not used with NFSv4.
这个过程实现了网络状态监视器(NSM)RPC协议,它在NFS服务器重新启动时通知NFS客户机,而不需要优雅地将其删除。rpc。statd由nfslock服务自动启动,不需要用户配置。这与NFSv4没有使用。
修改完之后保存退出,并重启服务
# /etc/init.d/portreserverestart
#关闭防火墙,客户端挂载共享目录,进行抓包测试
[[email protected] ~]# serviceiptables stop
#这里采用wireshark(鲨鱼)一款linux很有名的抓包软件进行抓包
#在nfs-server上启动nfs服务
#nfs-client进行挂载
#成功挂载,在nfs-server上进行抓包
#通过抓包分析,发现nfs-client----》nfs-server之调用了2049一个端口,那么我们来用防火墙做策略测试一下
#禁用一切端口,再放行2049端口
#测试在nfs-client挂载是否可行
#发现在客户端挂载依旧可行。文件共享正常。增删改查均可
===========================================================
针对nfs-serverV3测试:
#nfs-server服务端停止iptables
#在nfs-client上进行挂载测试
#
#在nfs-server上进行抓包
#根据nfs-server服务端抓包抓到11130003 2049
#在nfs-server上进行iptables端口限制,放行111 30003 2049端口
#nfs-client挂载测试:
#挂载成功,文件共享增删改查均无异常
===========================================================
附关于官方对NFSv3防火墙策略说明:
适用环境:
Red HatEnterprise Linux 7
Red HatEnterprise Linux 6
Red HatEnterprise Linux 5
Red Hat EnterpriseLinux 4
NFSversion 3
关于端口随机性说明:
NFSv3 andbelow rely on portmap to assign the ports on which it will listen. One sideeffect of this is that the ports are randomly assigned, so each time NFS isrestarted the ports will change. This can make it difficult to run an NFSserver behind a firewall which only allows access to specific ports on thesystem.
NFSv3和以下依赖于portmap来分配其侦听的端口。这其中的一个副作用是,端口是随机分配的,因此每次重新启动NFS时,端口都会发生变化。这使得在防火墙后运行NFS服务器变得很困难,而防火墙只允许访问系统上的特定端口。
关于建议分配固定端口的服务:
The firststep is to assign a permanent port number to each of the NFS services (rquotad,mountd, statd, and lockd). You may use your own custom port numbers, althoughthere are SELinux rules which prevent some of these services from starting onnon-default ports. We strongly recommend using the default ports. The followingexamples use the default port numbers.
第一步是为每个NFS服务(rquotad、mountd、statd和lockd)分配一个永久的端口号。您可以使用自己的自定义端口号,尽管有SELinux规则可以防止某些服务从非默认端口开始。我们强烈建议使用默认端口。下面的示例使用默认端口号。
关于固定端口的配置文件的说明:
The portnumbers for these services are configured through the file /etc/sysconfig/nfs.You will need to create this file if it does not exist. It should look similarto the following example:
这些服务的端口号通过文件/ etc / sysconfig / nfs配置如果该文件不存在,您将需要创建该文件。它应该类似于下面的例子:
关于需要修改的端口:
#这里需要注意的是这些端口是不存在冲突的端口,没有被其他服务占用的端口
# Portrquotad should listen on.
RQUOTAD_PORT= 875
# TCP portrpc. lockd should listen on.
LOCKD_TCPPORT= 32803
# UDP portrpc. lockd should listen on.
LOCKD_UDPPORT= 32769
# Portrpc. mountd should listen on.
MOUNTD_PORT= 892
# Portrpc. statd should listen on.
STATD_PORT= 662
# Outgoingport statd should used. The default is port
#STATD_OUTGOING_PORT = 2020
对于statd:STATD_OUTGOING_PORT端口的解释说明:
Note -statd: STATD_OUTGOING_PORT can usually be left commented out and defaulting toa random outgoing port, as it‘s most common to only restrict incoming trafficwith a firewall. STATD_OUTGOING_PORT is only required to be set if the firewallalso restricts outgoing traffic.
注意- statd:STATD_OUTGOING_PORT通常会被注释掉,并默认为一个随机输出的端口,因为它最常见的情况是只使用防火墙来限制传入的流量。如果防火墙也限制了传出的流量,则只需要设置STATD_OUTGOING_PORT。
Note -RHEL7: After changing anything in /etc/sysconfig/nfs you must run systemctlrestart nfs-config for the changes to take effect. STATD_OUTGOING_PORT is nolonger valid and is replaced by STATDARG="-o 2020".
注意- RHEL7:在更改/ etc /sysconfig / nfs后,必须运行systemctl重新启动nfs -config以使更改生效。STATD_OUTGOING_PORT不再有效,取而代之的是STATDARG= " - o 2020 "。
对于lockd服务端口不能被固定的解释说明:
Note -lockd: If the ports for the lockd service can not be changed despite the abovesetting, you might need to update your nfs-utils package. This package has arelevant bug in the earlier versions. For more information, please visit ourBugzilla entries Bug 461043 for RHEL 4 and Bug 313671 for RHEL 5. The relevantfixes are in packages nfs-utils-1.0.6-93. EL4 (errata RHSA-2009:0955 for RHEL4) and nfs-utils-1.0.9-33. el5 (errata RHBA-2008:0408 for RHEL5) and later.
注意- lockd:如果lockd服务的端口不能被改变,那么您可能需要更新您的nfs- utils包。这个包在早期版本中有一个相关的bug。更多信息,请访问我们的Bugzilla条目Bug461043,用于RHEL4和Bug313671用于RHEL5。相关的补丁包在包nfs- utils - 1.0.6 - 93中。EL4(erratarhsa - 2009:0955 for RHEL 4)和nfs- utils - 1.0.9 - 33。el5(erratarhba - 2008:0408用于RHEL5)和之后。
Note -protocols: Mount requests without the specific options for tcp will default toudp.
注意-协议:
没有tcp的特定选项的安装请求将默认为udp。
Afterthese configuration changes, you can view the port assignments with the commandrpcinfo -p <hostname>:
在这些配置更改之后,您可以使用命令rpcinfo - p < hostname>来查看端口分配。
执行上面的配置文件的配置之后,端口将固定不变:
At thispoint, the ports will remain the same when NFS is restarted. The following is alist of ports which need to be opened on the firewall:
在这一点上,当NFS重新启动时,端口将保持不变。以下是需要在防火墙打开的端口列表:
1
对于防火墙规则的设置:
You cannow open these ports on the firewall to allow remote clients to mount a shareon the server. If you are using iptables, the following commands can be used toadd inbound/outbound rules to allow access to these ports. Note that this isonly an example, as your specific firewall rules may differ:
现在您可以在防火墙上打开这些端口,以允许远程客户机在服务器上挂载一个共享。如果使用iptables,可以使用以下命令添加入站/出站规则,以允许访问这些端口。请注意,这只是一个示例,因为您的特定防火墙规则可能不同:
如果的你防火墙限制外出流量的话,那么可以使用下面的来进行端口限制:
==========================================================
关于官方对NFSv4防火墙策略说明:
环境
Red HatEnterprise Linux 7
Red HatEnterprise Linux 6
Red HatEnterprise Linux 5
NFSversion 4
解决以下问题:
我如何配置一个系统作为NFSv4服务器,它位于防火墙外的防火墙后面的NFS客户端?
我无法连接到防火墙后的NFSv4服务器。
我如何提供兼容性以允许较老的NFS版本客户端连接?
需求如下:
Fromlow-numbered (less than 1024) TCP port on NFS client, to TCP 2049 on NFS server
在NFS客户机上,从低编号(小于1024)TCP端口到NFS服务器上的TCP 2049
From TCP2049 on NFS server, to low-numbered (less than 1024) TCP port on NFS client
从NFS服务器上的TCP 2049到NFS客户端的低编号(小于1024)TCP端口
对于NFS服务器的iptables防火墙规则(带有连接跟踪)的端口规范是:
对于NFS服务器的iptables防火墙规则(没有连接跟踪)的端口规范是:
针对客户端回调说明:
NFS v4 cansometimes improve performance using delegations. For delegations to work, theNFS Server needs to be able to make callbacks to the NFS Client.
NFS v4有时可以使用代表团提高性能。对于要工作的代表团,NFS服务器需要能够对NFS客户机进行回调。
设置客户端回调:
First, setthe NFS4 client callback port to a specific port. Second, set this port to beallowed through firewalls similar to the iptables example above. For example,assuming the NFS4 callback port is set to 60000, on RHEL7 firewalld use thefollowing command:
首先,将NFS4客户端回调端口设置为一个特定的端口。其次,通过类似于上面的iptables例子的防火墙来设置这个端口。例如,假设NFS4回调端口设置为60000,RHEL7firewalld使用以下命令:
对于不能回调的说明:
Note Ifthe NFS Server cannot make callbacks to the NFS Client, then delegations aresimply not used and NFS operation continues transparently.
如果NFS服务器不能对NFS客户机进行回调,则不使用委托,而NFS操作将继续透明地进行。
以上是关于NFSv3 NFSv3针对防火墙端口开通策略 生产环境实践的主要内容,如果未能解决你的问题,请参考以下文章