NFS服务端安全策略

树辉 -

背景

环境检测

查看NFS配置,已经配置ACL

# cat /etc/exports
/.nfs-fileshare  10.10.88.48/32(rw,async,crossmnt,insecure,fsid=0,no_auth_nlm,no_subtree_check,no_root_squash,no_all_squash)
...

使用showmount命令来验证,确实能显示当前NFS服务配置信息

# showmount -e 10.10.88.49
Export list for 10.10.88.48:
/data/.nfs-fileshare 10.10.88.48/32,...

环境整改配置

export zone_name=nfs-access
firewall-cmd --new-zone=${zone_name} --permanent
firewall-cmd --reload

clients=(
         10.10.88.48/32
         ...
)

for client in ${clients[@]}
do
    firewall-cmd --permanent --zone=${zone_name} --add-source=${client}
done

firewall-cmd --permanent --zone=${zone_name} --add-service=nfs --add-service=rpc-bind --add-service=mountd
firewall-cmd --reload

如果需要删除某个节点:

export client=IP地址
firewall-cmd --permanent --zone=${zone_name} --remove-source=${client}
firewall-cmd --reload

查看已创建的规则

export zone_name=nfs-access
firewall-cmd --zone=${zone_name} --list-all

环境验证

# showmount -e 10.10.88.49
clnt_create: RPC: Unable to receive