If you wish to match for more than one character then you can use ? more than one times. We can use ? wildcard to match a single character in the hostname, for example to match server1, server2, serverA, serverX we can use: /dump/backups server?(sync) With wildcards you must make sure that the provided hostname is resolving to the IP address either using /etc/hosts or with DNS server. Wildcards should not be used with IP addresses however, it is possible for them to work accidentally if reverse DNS lookups fails.
This can be used to make the exports file more compact Machine names may contain the wildcard characters * and ?, or may contain character class lists within. However with wildcards we can have more control over the hosts we wish to allow the access for NFS share which we will learn next. # firewall-cmd -permanent -add-rich-rule="rule family='ipv4' source address='10.10.10.4' service name='mountd' reject" # iptables -I INPUT -s 10.43.138.2 -p udp -dport nfs -j DROPĥ.2 Restrict NFS shares using firewalld rich rules # firewall-cmd -permanent -add-rich-rule="rule family='ipv4' source address='10.10.10.4' service name='nfs' reject" To overcome this you may rely on firewall to block the respective host from accessing your NFS serverĥ.1 Restrict NFS shares using iptables # iptables -I INPUT -s 10.43.138.2 -p tcp -dport nfs -j DROP
Mount.nfs: access denied by server while mounting 10.43.138.1:/dump/backupsīut if I try to access the same share using NFSv4 # mount -o nfsvers=4 10.43.138.1:/dump/backups /mnt Now if you try to access the NFS share using this hosts: # mount -o nfsvers=3 10.43.138.1:/dump/backups /mnt To restrict a host with NFSv3 we will add below entry for 10.43.138.2 # echo "rpcbind: 10.43.138.2" > /etc/ny With NFSv3 we can use ny to restrict access to such hosts by using rpcbind, mountd, nfsd, statd, lockd, rquotad to define an access rule but the same is not possible with NFSv4 as it does not use these daemons any more. But sometimes when you have provided an entire network in the allow list of /etc/exports for example /dump/backups 10.43.138.0/255.255.255.224(sync)īut you only wish to restrict the share to 10.43.138.2 host. We can restrict a share in /etc/exports itself by providing only those list of hosts who should be allowed to access the share. To add all these in the single line, the syntax would be: /PATH/TO/DIR HOST1() HOST2() HOST3() You can also add them in single line but to make the file content look clean I am using different entries for the same share. In this example I am exporting the same path to multiple hosts across different networks. To export a share to multiple hosts across different network range you must create individual entry of respective hosts. Or alternatively if you don't have a prefix value, you can provide the netmask value of the subnet # cat /etc/exports Now instead of single host, we will create a exportfs share to be accessed by all the hosts from a network IP range i.e. So here we have added no restriction in the exports file for the NFS Share for any of the hosts We will use " *" to enable NFS access to the share to all the networks out there which has access to your NFS server # cat /etc/exports To export a NFS share to whole world (this is a dangerous term in production but actually that is what this means). dump/backups 10.43.138.2(sync,wdelay,hide,no_subtree_check,sec=sys,ro,secure,root_squash,no_all_squash) Now we don't get any warning, verify the existing share # exportfs -v
If no specific hosts are specified, the mount point is exported to all hosts. The first field contains the mount-point directory path, followed optionally by a list of options and/or a list of specific hosts separated by white space. The general syntax which you must use to create a NFS share using /etc/exports will be: /PATH/TO/DIR HOST()Įach line in the file specifies one remote mount point.
0 kommentar(er)
