- 10 practical examples to export NFS shares in Linux
- 1. Export NFS Share to single host
- 2. Export NFS Share to all hosts
- 3. Export NFS Share to IP Range
- 4. Export NFS share to multiple hosts
- 5. Restrict a NFS share for specified hosts
- 5.1 Restrict NFS shares using iptables
- 5.2 Restrict NFS shares using firewalld rich rules
- 6. How to use wildcard with NFS exports
- 6.1 Using ? with hostnames
- 6.2 Using square brackets with hostnames
- 6.3 Using * with hostnames
- 7. Export NFS Share as Read Only Mode
- 8. Export NFS share as Read Write Mode
- 9. Export a share with NFSv4 only
- 10. Enable root access on the NFS share
- Recommended Read
- Conclusion
10 practical examples to export NFS shares in Linux
The general syntax which you must use to create a NFS share using /etc/exports will be:
Each line in the file specifies one remote mount point. The first field contains the mount-point directory path, followed optionally by a list of options and/or a list of specific hosts separated by white space. If no specific hosts are specified, the mount point is exported to all hosts.
If you are new to NFS server then I recommend you to first read Overview on NFS and difference between NFSv2 vs NFSv3 and NFSv4
1. Export NFS Share to single host
To export /dump/backups to single client 10.43.138.2 using NFS, I will add below to /etc/exports :
# cat /etc/exports /dump/backups 10.43.138.2
# exportfs -r exportfs: No options for /dump/backups 10.43.138.2: suggest 10.43.138.2(sync) to avoid warning Since we have not provided any OPTIONS to the NFS share we get this warning. It will work but it is recommended to add atleast » sync » in the OPTIONS section to avoid this warning
So I have updated my /etc/exports
Now we don’t get any warning, verify the existing share
# exportfs -v /dump/backups 10.43.138.2(sync,wdelay,hide,no_subtree_check,sec=sys,ro,secure,root_squash,no_all_squash)
2. Export NFS Share to all hosts
To export a NFS share to whole world (this is a dangerous term in production but actually that is what this means). We will use » * » to enable NFS access to the share to all the networks out there which has access to your NFS server
# cat /etc/exports /dump/backups *(sync)
So here we have added no restriction in the exports file for the NFS Share for any of the hosts
3. Export NFS Share to IP Range
Now instead of single host, we will create a exportfs share to be accessed by all the hosts from a network IP range i.e. 10.43.138.1/27
# cat /etc/exports /dump/backups 10.43.138.2/27(sync)
Or alternatively if you don’t have a prefix value, you can provide the netmask value of the subnet
# cat /etc/exports /dump/backups 10.43.138.2/255.255.255.224(sync)
4. Export NFS share to multiple hosts
To export a share to multiple hosts across different network range you must create individual entry of respective hosts.
# cat /etc/exports /dump/backups 10.43.138.0/255.255.255.224(sync) /dump/backups 192.168.0.1/255.255.255.0(sync) /dump/backups 192.168.100.10(sync) /dump/backups 10.10.10.0/24(sync)
In this example I am exporting the same path to multiple hosts across different networks.
You can also add them in single line but to make the file content look clean I am using different entries for the same share. To add all these in the single line, the syntax would be:
/PATH/TO/DIR HOST1([OPTIONS]) HOST2([OPTIONS]) HOST3([OPTIONS]) To use single line share for our last example, we can use:
/dump/backups 10.43.138.0/255.255.255.224(sync) 192.168.0.1/255.255.255.0(sync) 192.168.100.10(sync) 10.10.10.0/24(sync)
5. Restrict a NFS share for specified hosts
We can restrict a share in /etc/exports itself by providing only those list of hosts who should be allowed to access the share. But sometimes when you have provided an entire network in the allow list of /etc/exports for example
/dump/backups 10.43.138.0/255.255.255.224(sync)
But you only wish to restrict the share to 10.43.138.2 host. In such case this can be tricky.
With NFSv3 we can use hosts.deny to restrict access to such hosts by using rpcbind, mountd, nfsd, statd, lockd, rquotad to define an access rule but the same is not possible with NFSv4 as it does not use these daemons any more.
To restrict a host with NFSv3 we will add below entry for 10.43.138.2
# echo "rpcbind: 10.43.138.2" >> /etc/hosts.deny
Now if you try to access the NFS share using this hosts:
# mount -o nfsvers=3 10.43.138.1:/dump/backups /mnt mount.nfs: access denied by server while mounting 10.43.138.1:/dump/backups But if I try to access the same share using NFSv4
# mount -o nfsvers=4 10.43.138.1:/dump/backups /mnt
It works. So hosts.deny was unable to block this request.
To overcome this you may rely on firewall to block the respective host from accessing your NFS server
5.1 Restrict NFS shares using iptables
# iptables -I INPUT -s 10.43.138.2 -p tcp --dport nfs -j DROP # iptables -I INPUT -s 10.43.138.2 -p udp --dport nfs -j DROP
5.2 Restrict NFS shares using firewalld rich rules
# firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='10.10.10.4' service name='nfs' reject" # firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='10.10.10.4' service name='mountd' reject" # firewall-cmd --reload
However with wildcards we can have more control over the hosts we wish to allow the access for NFS share which we will learn next.
6. How to use wildcard with NFS exports
Machine names may contain the wildcard characters * and ? , or may contain character class lists within [square brackets] . This can be used to make the exports file more compact
Wildcards should not be used with IP addresses; however, it is possible for them to work accidentally if reverse DNS lookups fails. With wildcards you must make sure that the provided hostname is resolving to the IP address either using /etc/hosts or with DNS server.
6.1 Using ? with hostnames
We can use ? wildcard to match a single character in the hostname, for example to match server1 , server2 , serverA , serverX we can use:
If you wish to match for more than one character then you can use ? more than one times. For example to match server12 , server23 , serverAB , serverXY we can use:
6.2 Using square brackets with hostnames
You can use square brackets to define a range of numbers or characters. Below example will match all machines with hostname between server00.example.com to server99.example.com
/dump/backups server86.example.com(sync)
To map server1 to server5 we can use
To map character with square brackets for example match serverA till serverE , in such case use:
6.3 Using * with hostnames
As you can assume, * means match everything. So assuming you have multiple subdomains under example.com then you can simply use *.example.com to match for all the sub-domains
/dump/backups *.example.com(sync)
mail.example.com cdn.example.com host.example.com
So to match this you must use:
/dump/backups *.*.example.com(sync)
So I hope you got the idea.
7. Export NFS Share as Read Only Mode
To assign a share with read only permission:
# cat /etc/exports /dump/backups 10.43.138.2(ro,sync) Verify the exported shares and the options:
# exportfs -v /dump/backups 10.43.138.2(sync,wdelay,hide,no_subtree_check,sec=sys,ro,secure,root_squash,no_all_squash) 8. Export NFS share as Read Write Mode
To export a share with read write permission use:
# cat /etc/exports /dump/backups 10.43.138.2(rw,sync) Refresh and verify the shares and applied options:
# exportfs -r # exportfs -v /dump/backups 10.43.138.2(sync,wdelay,hide,no_subtree_check,sec=sys,rw,secure,root_squash,no_all_squash) Now if someone creates a file in these share on the client nodes:
[root@nfs-client ~]# mount -o nfsvers=4 10.43.138.1:/dump/backups /mnt
Create a new file as root user
[root@nfs-client ~]# touch /mnt/file
[root@nfs-client ~]# ls -l total 0 -rw-r----- 1 nfsnobody nfsnobody 0 Aug 20 13:31 file As you see the new file is created with nobody permission. By default when NFS share is exported with root_squash permission so any file access and modification from root user will be performed under anonymous account so called nobody user.
Although if you create a file using normal user then the same will be reflected as user and owner of the file:
[deepak@nfs-client ~]$ ls -l /mnt/ total 0 -rw-r----- 1 nfsnobody nfsnobody 0 Aug 20 13:31 file -rw-r----- 1 deepak users 0 Aug 20 13:36 file1 9. Export a share with NFSv4 only
If you wish create a share which can be accessed over NFSv4 only then you ust modify /etc/nfs.conf
[root@nfs-server ~]# vim /etc/nfs.conf [nfsd] vers2=n vers3=n vers4=y vers4.0=y vers4.1=y vers4.2=y
Make sure you disable vers2 and vers3 to only allow connection over NFSv4
Optionally, disable listening for the RPCBIND, MOUNT, and NSM protocol calls, which are not necessary in the NFSv4-only case. Disable related services:
[root@nfs-server ~]# systemctl mask --now rpc-statd.service rpcbind.service rpcbind.socket Created symlink /etc/systemd/system/rpc-statd.service → /dev/null. Created symlink /etc/systemd/system/rpcbind.service → /dev/null. Created symlink /etc/systemd/system/rpcbind.socket → /dev/null.
After you configure NFS server, restart the NFS server to activate the changes and enable it start automatically post reboot. You can also check nfs status using systemctl status nfs-server
[root@nfs-server ~]# systemctl restart nfs-server [root@nfs-server ~]# systemctl enable nfs-server
Use the netstat utility to list services listening on the TCP and UDP protocols:
The following is an example netstat output on an NFSv4-only server; listening for RPCBIND, MOUNT, and NSM is also disabled. Here, nfs is the only listening NFS service:
[root@nfs-server ~]# netstat --listening --tcp --udp | grep nfs tcp 0 0 0.0.0.0:nfs 0.0.0.0:* LISTEN tcp6 0 0 [::]:nfs [::]:* LISTEN
Next you can create a share using /etc/exports . We don’t need to define any additional permission here:
/dump/backups 10.43.138.2(rw,sync)
Now this share will be accessible only over NFSv4.
Similarly you can control the NFS share access over NFSv3 only or you can allow both NFSv3 and NFSv4 using nfs.conf
10. Enable root access on the NFS share
As informed earlier, by default root_squash permission is added to the NFS share which means this permission prevents remote root users from having superuser (root) privileges on remote NFS-mounted volumes. Here, squash literally means to squash the power of the remote root user
So to enable root access we will use no_root_squash which allows root user on the NFS client host to access the NFS-mounted directory with the same rights and privileges that the superuser would normally have.
To disable root squash we use:
# cat /etc/exports /dump/backups 10.43.138.2(rw,sync,no_root_squash) # exportfs -v /dump/backups 10.43.138.2(sync,wdelay,hide,no_subtree_check,sec=sys,rw,secure,no_root_squash,no_all_squash) Recommended Read
To learn more about different supported NFS exports options for NFS server and client I would recommend you to read:
Beginners guide to different NFS mount and exports options with examples
Conclusion
In this tutorial I shared multiple examples with different scenarios to export NFS share with and without restrictions. It is important that with NFS we also consider the security of these shares so that it is not accessed by unauthorized users over the network so you must assign the NFS options properly.
Lastly I hope the steps from the article to configure NFS exports share on Linux was helpful. So, let me know your suggestions and feedback using the comment section.
Didn’t find what you were looking for? Perform a quick search across GoLinuxCloud
If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.
For any other feedbacks or questions you can either use the comments section or contact me form.
Thank You for your support!!