DevHeads.net

NFS deny access

Hello all,

I have an NFS Server where I want give access to a specific address to a
specific path.
Problem is that I have some other shares active which I do not want the
specific IP to not access it.

The /etc/exports looks like the following:

/nfs/Share1             10.10.*(rw)
/nfs/Share2             10.10.*(rw)
/kdnbckp/CS21           10.10.193.43(rw)

The client on the last line (IP 10.10.193.43) I'd like to exclude from
mounting the first two shares.

How can I do this? 'man exports' does not give any hint if this is possible.

Thanks,
Thomas

Comments

Re: NFS deny access

By James Pearson at 01/09/2019 - 10:10

Thomas Plant via CentOS wrote:
I don't know of an option to exclude a single host - but you might be
able to do something clever with the 'refer' option ...

BTW, the export man page says that you shouldn't use wildcards in IP
network addresses - i.e. instead of exporting to '10.10.*', you should
use '10.10.0.0/16'

So something like the following may work:

/nfs/Share1 10.10.193.43(rw,refer=/ ... at 127 dot 0.0.1) 10.10.0.0/16(rw)
/nfs/Share2 10.10.193.43(rw,refer=/ ... at 127 dot 0.0.1) 10.10.0.0/16(rw)
/kdnbckp/CS21 10.10.193.43(rw)

The above _should_ cause the client at 10.10.193.43 to attempt to mount
"/dummy" from itself when it tries to mount either /nfs/Share1 or
/nfs/Share2 from the server - and if "/dummy" isn't exported from itself
(or if NFS isn't running), then the mount will fail ...

However, I believe the refer= option is NFSv4 only - so if the client
attempts an NFSv3 mount, it will successfully mount from the server (and
not use the refer mount point) - i.e. to make sure this doesn't happen,
you will need to disable NFSv3 (and NFSv2) access - e.g see:

<a href="https://opsech.io/posts/2016/Jan/26/nfsv4-only-on-centos-72.html" title="https://opsech.io/posts/2016/Jan/26/nfsv4-only-on-centos-72.html">https://opsech.io/posts/2016/Jan/26/nfsv4-only-on-centos-72.html</a>

However, the above is all a bit messy - so I would be interested if you
come across a simpler way of achieving this ...

James Pearson