Hello, I have an NFSv3 server that allows mounts from unprivileged ports, and a SL6 NFS client with untrusted users (but root is trusted). I want to prevent users from mounting the NFS share from an unprivileged port.
My hope was that I could put iptables rules on the SL6 NFS client: -A OUTPUT -p tcp -d nfs.ser.ver.ip --dport 2049 --sport 1025:65534 -j DROP -A OUTPUT -p udp -d nfs.ser.ver.ip --dport 2049 --sport 1025:65534 -j DROP I ran wireshark while mounting the nfs share with the resvport option. The initial connection to the nfs server port 2049 is on a privileged port, but eventually there is an attempt to connect to the nfs port from an unprivileged port. With the above rules in place, mounting does not succeed. Is there are a way to specify a range of source ports for the nfs client? I also tried blocking non-root access, but this also prevented mounting. -A OUTPUT -p tcp -d nfs.ser.ver.ip --dport 2049 -m owner ! --uid-owner root -j DROP -A OUTPUT -p udp -d nfs.ser.ver.ip --dport 2049 -m owner ! --uid-owner root -j DROP Is there a well-known user other than root that also needs access to 2049? Thanks, Elijah
