客户端上的 NFS 设置出现问题,导致超时并拒绝连接
[root@host9 ~]# mount 192.168.0.17:/home/export /mnt/export
mount: mount to NFS server '192.168.0.17' failed: timed out (retrying).
mount: mount to NFS server '192.168.0.17' failed: timed out (retrying).
mount: mount to NFS server '192.168.0.17' failed: timed out (retrying).
mount: mount to NFS server '192.168.0.17' failed: timed out (retrying).
以下是我使用的设置:
[root@host17 /home/export]# cat /etc/hosts.allow
#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
portmap: 192.168.0.0/255.255.255.0
lockd: 192.168.0.0/255.255.255.0
rquotad: 192.168.0.0/255.255.255.0
mountd: 192.168.0.0/255.255.255.0
statd: 192.168.0.0/255.255.255.0
[root@host17 /home/export]# cat /etc/hosts.deny
#
# hosts.deny This file contains access rules which are used to
# deny connections to network services that either use
# the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also be set up in
# /etc/hosts.allow with a 'deny' option instead.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
portmap:ALL
lockd:ALL
mountd:ALL
rquotad:ALL
statd:ALL
[root@host17 /home/export]# cat /etc/exports
/home/export 192.168.0.0/255.255.255.0(rw)
[root@host17 /home/export]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:6379
ACCEPT udp -- 192.168.0.0/24 anywhere state NEW udp dpt:sunrpc
ACCEPT tcp -- 192.168.0.0/24 anywhere state NEW tcp dpt:sunrpc
ACCEPT tcp -- 192.168.0.0/24 anywhere state NEW tcp dpt:nfs
ACCEPT tcp -- 192.168.0.0/24 anywhere state NEW tcp dpt:32803
ACCEPT udp -- 192.168.0.0/24 anywhere state NEW udp dpt:filenet-rpc
ACCEPT tcp -- 192.168.0.0/24 anywhere state NEW tcp dpt:892
ACCEPT udp -- 192.168.0.0/24 anywhere state NEW udp dpt:892
ACCEPT tcp -- 192.168.0.0/24 anywhere state NEW tcp dpt:rquotad
ACCEPT udp -- 192.168.0.0/24 anywhere state NEW udp dpt:rquotad
ACCEPT tcp -- 192.168.0.0/24 anywhere state NEW tcp dpt:pftp
ACCEPT udp -- 192.168.0.0/24 anywhere state NEW udp dpt:pftp
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
在客户端上,这里有一些 rpcinfo
[root@host9 ~]# rpcinfo -p 192.168.0.17
program vers proto port
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100011 1 udp 875 rquotad
100011 2 udp 875 rquotad
100011 1 tcp 875 rquotad
100011 2 tcp 875 rquotad
100005 1 udp 45857 mountd
100005 1 tcp 55772 mountd
100005 2 udp 34021 mountd
100005 2 tcp 59542 mountd
100005 3 udp 60930 mountd
100005 3 tcp 53086 mountd
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100227 2 udp 2049 nfs_acl
100227 3 udp 2049 nfs_acl
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100227 2 tcp 2049 nfs_acl
100227 3 tcp 2049 nfs_acl
100021 1 udp 59832 nlockmgr
100021 3 udp 59832 nlockmgr
100021 4 udp 59832 nlockmgr
100021 1 tcp 36140 nlockmgr
100021 3 tcp 36140 nlockmgr
100021 4 tcp 36140 nlockmgr
100024 1 udp 46494 status
100024 1 tcp 49672 status
[root@host9 ~]#
[root@host9 ~]# rpcinfo -u 192.168.0.17 nfs
rpcinfo: RPC: Timed out
program 100003 version 0 is not available
[root@host9 ~]# rpcinfo -u 192.168.0.17 portmap
program 100000 version 2 ready and waiting
program 100000 version 3 ready and waiting
program 100000 version 4 ready and waiting
[root@host9 ~]# rpcinfo -u 192.168.0.17 mount
rpcinfo: RPC: Timed out
program 100005 version 0 is not available
[root@host9 ~]#
我在所有系统上运行的是 CentOS 5.8
答案1
NFS 和防火墙的典型问题是某些使用的端口是随机分配的。
在文件 /etc/sysconfig/nfs 中,您可以修复 NFS 中涉及的各种进程使用的随机端口。执行此操作,然后确保这些端口在您的 iptables 规则中处于打开状态。