We ever discussed fixing ports used by NFSv3 so that it can be easily exported to external networks. For NFSv4.1 or higher, things are much easier. The ports for
lockd are not required in a pure NFSv4 environment. We have less ports to control or allow for connections. Only port 111 and 2049 need to be taken care of for NFSv4. In this post, we will discuss how to export NFSv4 to external networks.
In this tutorial’s example, we assume
- the external network is 192.168.0.0/16
- the gateway’s external network IP is 192.168.1.100
- the NFS server’s private/internal IP is 10.2.2.2
Steps to export an NFSv4 are as follows.
Set up port forwarding on the gateway
Table of Contents
On the gateway, run
# iptables -t nat -A PREROUTING -d 192.168.1.100/32 -p tcp -m tcp --dport 2049 -j DNAT --to-destination 10.2.2.2:2049 # iptables -t nat -A PREROUTING -d 192.168.1.100/32 -p udp -m udp --dport 2049 -j DNAT --to-destination 10.2.2.2:2049 # iptables -t nat -A PREROUTING -d 192.168.1.100/32 -p tcp -m tcp --dport 111 -j DNAT --to-destination 10.2.2.2:111 # iptables -t nat -A PREROUTING -d 192.168.1.100/32 -p udp -m udp --dport 111 -j DNAT --to-destination 10.2.2.2:111
to export the port 2049 and 111.
Note: the rules are in memory only. Please remember to save the iptables rules after it is tested working following your gateway host’s iptables management.
Allow external network IPs in the NFSv4 server
On the NFSv4 server:
Add this line (exactly the same; exports requirement is strict)
and then run
# exportfs -a
to make it take effect
You can check the exported FS by running
exportfs. It should show something like
/nfs/data 10.2.0.0/16 /nfs/data 192.168.0.0/16
Mount the NFS
Then, on another node in the external network, you can mount the /nfs/data by
# mount 192.168.1.100:/nfs/data /nfs
Then you can use the NFS exported from the private network. Enjoy!