How to Export an NFSv4 Server to External Networks

We ever discussed fixing ports used by NFSv3 so that it can be easily exported to external networks. For NFSv4.1 or higher, things are much easier. The ports for mountd, statd, and lockd are not required in a pure NFSv4 environment. We have less ports to control or allow for connections. Only port 111 and 2049 need to be taken care of for NFSv4. In this post, we will discuss how to export NFSv4 to external networks.

In this tutorial’s example, we assume

  • the external network is 192.168.0.0/16
  • the gateway’s external network IP is 192.168.1.100
  • the NFS server’s private/internal IP is 10.2.2.2

If you are running on a different network configuration, please replace these IPs in the following command with you IPs.

Steps to export an NFSv4 are as follows.

Set up port forwarding on the gateway

On the gateway, run

# iptables -t nat -A PREROUTING -d 192.168.1.100/32 -p tcp -m tcp --dport 2049 -j DNAT --to-destination 10.2.2.2:2049
# iptables -t nat -A PREROUTING -d 192.168.1.100/32 -p udp -m udp --dport 2049 -j DNAT --to-destination 10.2.2.2:2049
# iptables -t nat -A PREROUTING -d 192.168.1.100/32 -p tcp -m tcp --dport 111 -j DNAT --to-destination 10.2.2.2:111
# iptables -t nat -A PREROUTING -d 192.168.1.100/32 -p udp -m udp --dport 111 -j DNAT --to-destination 10.2.2.2:111

to export the port 2049 and 111.

Note: the rules are in memory only. Please remember to save the iptables rules after it is tested working following your gateway host’s iptables management.

Allow external network IPs in the NFSv4 server

On the NFSv4 server:

Add this line (exactly the same; exports requirement is strict)

/nfs/data 192.168.0.0/16(rw,no_root_squash)

to /etc/exports

and then run

# exportfs -a

to make it take effect

You can check the exported FS by running exportfs. It should show something like

/nfs/data
10.2.0.0/16
/nfs/data
192.168.0.0/16

Mount the NFS

Then, on another node in the external network, you can mount the /nfs/data by

# mount 192.168.1.100:/nfs/data /nfs

Then you can use the NFS exported from the private network. Enjoy!

Eric Ma

Eric is a systems guy. Eric is interested in building high-performance and scalable distributed systems and related technologies. The views or opinions expressed here are solely Eric's own and do not necessarily represent those of any third parties.

3 comments:

  1. What about routing?
    The source-address remains the same, so the routing table of the internal nfs-server is important – isn’t it?
    Are there any additional routing configurations at the gateway?
    Regards
    Markus

    1. In the environment where this works as stated at the beginning part, the ‘gateway’ should already have been configured as a gateway including its routing rules, iptables rules, network cables/interfaces and etc. This post does not cover that part of configuring a gateway.

  2. Solved it with an SNAT entry in POSTROUTING. Works, but kind of slow. Need to analyze if its the iptables-Part or the load or the network.

    Thanks
    Markus

Leave a Reply

Your email address will not be published. Required fields are marked *