Blog roll
R-bloggers, Debian Weekly![[Valid RSS]](valid-rss-rogers.png "Validate my RSS feed")
Last modified:
oktober 17, 2019
Problem: securely accessing the big, fast harddisk in a server locked in a NAT
Solution: Create two tunnels with SSH reverse forwarding, use NFS with TCP over these tunnels.
The core of the info below was taken from http://www.howtoforge.com/nfs_ssh_tunneling
In this example the nfs client will be called client. All commands must by executed as root.
echo "STATDOPTS=--port 2231" > /etc/default/nfs-common echo "options lockd nlm_udpport=2232 nlm_tcpport=2232" >> /etc/modules.conf echo "RPCNFSDCOUNT=8 RPCMOUNTDOPTS='-p 2233'" > /etc/default/nfs-kernel-server apt-get -y install nfs-kernel-server
Add a line in /etc/exports which lists the directory you want to export and includes the "insecure" option and uses 127.0.0.1 as the allowed client. E.g.
/home/foo 127.0.0.1(rw,async,no_subtree_check,no_root_squash,insecure)
Since the server itself is behind NAT, the server must initiate the tunnel.
ssh -N -f -R 10006:localhost:2049 root@client ssh -N -f -R 10007:localhost:2233 root@client
Since we're only using ports above 1024, there is really no need to be root, but it doesn't hurt either.
mount -t nfs -o tcp,nolock,port=10006,mountport=10007 localhost:/home/foo /mnt
Do not try without the "nolock" option, because then the client will try to connect to its own statd (or lockd) which will know nothing about /home/foo, causing a hard file system lock, which will stall the processes trying to access the files in /mnt
Since you cannot use locking, don't write to the exported files directly on the server when they are in use by processes on the nfs-client.