====== NFS ======

**Persistent iptables rules**
<code>
sudo apt-get install iptables-persistent
</code>

**Fixed port**
<code>
/etc/default/nfs-kernel-server
#RPCMOUNTDOPTS="--manage-gids"
RPCMOUNTDOPTS="--port 49639"
</code>

<code>
vi /etc/iptables/rules.v4
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
# NFS
-A INPUT -p tcp --dport 111 -s 10.0.0.0/8 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp --dport 111 -s 10.0.0.0/8 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp --dport 2049 -s 10.0.0.0/8 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp --dport 2049 -s 10.0.0.0/8 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp --dport 49639 -s 10.0.0.0/8 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp  --dport 49639 -s 10.0.0.0/8 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
# LOG
-A INPUT -j LOG --log-prefix "INPUT:DROP:" --log-level 6
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
COMMIT
</code>

**Apply**
<code>
sudo iptables-restore < /etc/iptables/rules.v4
</code>