NFS

Persistent iptables rules

sudo apt-get install iptables-persistent

Fixed port

/etc/default/nfs-kernel-server
#RPCMOUNTDOPTS="--manage-gids"
RPCMOUNTDOPTS="--port 49639"

vi /etc/iptables/rules.v4
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
# NFS
-A INPUT -p tcp --dport 111 -s 10.0.0.0/8 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp --dport 111 -s 10.0.0.0/8 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp --dport 2049 -s 10.0.0.0/8 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp --dport 2049 -s 10.0.0.0/8 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp --dport 49639 -s 10.0.0.0/8 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp  --dport 49639 -s 10.0.0.0/8 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
# LOG
-A INPUT -j LOG --log-prefix "INPUT:DROP:" --log-level 6
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
COMMIT

Apply

sudo iptables-restore < /etc/iptables/rules.v4