[CentOS] NFS deny access

James Pearson james-p at moving-picture.com
Wed Jan 9 14:10:04 UTC 2019


Thomas Plant via CentOS wrote:
> 
> Hello all,
> 
> I have an NFS Server where I want give access to a specific address to a
> specific path.
> Problem is that I have some other shares active which I do not want the
> specific IP to not access it.
> 
> The /etc/exports looks like the following:
> 
> /nfs/Share1             10.10.*(rw)
> /nfs/Share2             10.10.*(rw)
> /kdnbckp/CS21           10.10.193.43(rw)
> 
> The client on the last line (IP 10.10.193.43) I'd like to exclude from
> mounting the first two shares.
> 
> How can I do this? 'man exports' does not give any hint if this is 
> possible.

I don't know of an option to exclude a single host - but you might be 
able to do something clever with the 'refer' option ...

BTW, the export man page says that you shouldn't use wildcards in IP 
network addresses - i.e. instead of exporting to '10.10.*', you should 
use '10.10.0.0/16'

So something like the following may work:

  /nfs/Share1   10.10.193.43(rw,refer=/dummy at 127.0.0.1) 10.10.0.0/16(rw)
  /nfs/Share2   10.10.193.43(rw,refer=/dummy at 127.0.0.1) 10.10.0.0/16(rw)
  /kdnbckp/CS21 10.10.193.43(rw)

The above _should_ cause the client at 10.10.193.43 to attempt to mount 
"/dummy" from itself when it tries to mount either /nfs/Share1 or 
/nfs/Share2 from the server - and if "/dummy" isn't exported from itself 
(or if NFS isn't running), then the mount will fail ...

However, I believe the refer= option is NFSv4 only - so if the client 
attempts an NFSv3 mount, it will successfully mount from the server (and 
not use the refer mount point) - i.e. to make sure this doesn't happen, 
you will need to disable NFSv3 (and NFSv2) access - e.g see:

  https://opsech.io/posts/2016/Jan/26/nfsv4-only-on-centos-72.html

However, the above is all a bit messy - so I would be interested if you 
come across a simpler way of achieving this ...

James Pearson


More information about the CentOS mailing list