There is a new version of this tutorial available for Debian 12 (Bookworm).

How to Install and Configure NFS Server on Debian 11

NFS or Network File System is a network protocol that allows you to mount a remote filesystem through the network. The NFS protocol is used the server-client architecture, the NFS server that provides all directories or partitions that are ready to access and mount, and clients that used the rpcbind protocol to access all directories and filesystem through the internal network connection.

The current status of the Network File System protocol is described below.

1. The NFSv2 and NFSv3 is still supported by the major operating system, but for security reason, you must restrict the access of NFS server to the trusted local network. The NFSv2 and NFSv3 are recommended for the small and medium types of deployment.
2. The NFSv4 protocol provides basic security features such as authentication and encryption, but it relies on Kerberos for those parts. So you need to add additional configuration for using NFSv4 with basic security features.

For this tutorial, you will learn how to install and configure an NFS Server on the latest Debian 11 Bullseye. You will be installing the NFS server and securing the access by limiting the hosts using the ufw firewall. And then you will learn how to setting up the client to mount directories and partitions provided by the NFS server, and set up auto-mount NFS server at system boot through the '/etc/fstab' configuration.

Prerequisites

1. We will be using two different machines on the same network as below.
     - debian64 - 192.168.1.25 - as NFS Server
     - client-debian - 192.168.1.30 - as a client
2. A root user or a user with root privileges. This user will be used for installing new packages and editing system configurations.

Installing and Configuring NFS Server

At first, you will be installing the nfs server package and set up the shared directory for clients.

1. Execute the following command to install nfs-server packages.

apt install nfs-kernel-server rpcbind

Type 'y' and press 'Enter' to continue the installation.

Installing NFS Server Debian 11

2. Now create a new directory that you want to share with clients. For this example, you will be sharing two directories '/mnt/shared' and '/srv/data' to clients. And do not share the default '/' root directory or '/etc' directory.

Create a new shared directory using the mkdir command below.

mkdir -p /mnt/shared
mkdir -p /srv/data

Create a new file on each directory by running the echo command below.

echo "test file nfs server" > /mnt/shared/test-file.txt
echo "test file nfs server" > /srv/data/test-file.txt

Now change the ownership of both shared directories to 'nobody:nogroup' by executing the command below.

chown nobody:nogroup /mnt/shared /srv/data

Create NFS Shared Directory

And you're ready to configure the NFS Server.

3. To configure the shared directory for nfs, edit the configuration '/etc/exports' using nano editor.

nano /etc/exports

Below are some example configurations for some scenarios

Share directory for the single-host client with read-write access.

/mnt/shared    192.168.1.30(rw,sync,no_subtree_check)

Share directory for multiple clients, including a group of the host network.

/srv/data      172.16.1.0/24(rw,sync,no_root_squash,no_subtree_check) 10.11.12.0/24(rw,no_subtree_check)

Share directory for a single client with read-only access.

/srv/data        192.168.1.30(ro)

Below is the final example configuration.

/mnt/shared    192.168.1.30(rw,sync,no_subtree_check)
/srv/data      172.16.1.0/24(rw,sync,no_root_squash,no_subtree_check) 10.11.12.0/24(rw,no_subtree_check)
/srv/data      192.168.1.30(ro,no_root_squash)

Save the configuration by pressing the 'Ctrl+x' button, type 'y', then press 'Enter' to exit.

Options you must know:

  • rw : allow read and write access for both NFS server and client to the volume/directory.
  • ro : allow read-only access for clients.
  • sync : reply to requests only after the changes have been committed to stable storage. This option enabled by default.
  • async : allows the NFS server to violate the NFS protocol and reply to requests before any changes made by that request have been committed to stable storage.
  • subtree_check : allow and enable subtree checking. This option enabled by default.
  • no_subtree_check : disables subtree checking, which has mild security implications, but can improve reliability in some circumstances.
  • root_squash : Map requests from uid/gid 0 to the anonymous uid/gid. Note that this does not apply to any other uids or gids that might be equally sensitive, such as user bin or group staff.
  • no_root_sqash : disable root squashing. This option is mainly useful for disk-less clients.

4. Next, restart the nfs-server service to apply a new configuration using the command below.

systemctl restart nfs-server

Now check and verify the nfs-server service using the following command.

systemctl is-enabled nfs-server
systemctl status nfs-server

And you will get a similar output as below.

Configure and Verify NFS Server

As can be seen, the nfs-server service is 'enabled' and will automatically run at system startup. And the current status of nfs-service is 'active (exited)', which means the service is running, but the systemd cannot find the daemon to monitor.

Securing NFS Server with UFW Firewall

For this stage, you will be installing the ufw firewall and restricting access to the NFS server for specific hosts and networks only.

1. Execute the apt command below to install the ufw package.

apt install ufw

Type 'y' and press 'Enter' to confirm and continue the installation.

Installing ufw firewall

2. If all installation is completed, add SSH service to the ufw firewall rules using the command below.

ufw allow ssh

3. Next, execute the ufw commands below to add hosts or networks to your ufw firewall.

Allow host with IP address '192.168.1.30' to access the NFS server.

ufw allow from 192.168.1.30 to any port nfs

Allow block of a network to access the NFS server.

ufw allow from 172.16.1.0/24 to any port nfs
ufw allow from 10.11.12.0/24 to any port nfs

secureing nfs with ufw firewall

4. After that, enable the ufw firewall using the following command.

ufw enable

Type 'y' and press 'Enter' to start and enable the ufw firewall.

Now check the ufw firewall status using the command below.

ufw status

And you will see a similar output as below.

enable and verify ufw firewall

As can be seen, the ufw firewall state is 'active', and the NFS service on default port '2049' is available on the rules list.

Setting up NFS Client

For this step, you will be configuring clients for accessing the shared directory and partition on the NFS server.

1. First, install the 'nfs-common' package using the apt command below.

apt install nfs-common

Type 'y' and press 'Enter' to confirm and continue the installation.

Installing nfs client packages

2. After the installation is complete, create a new directory for the mount directory.

mkdir -p /nfs/shared; mkdir -p /nfs/data

3. To mount the nfs directory or partition from the NFS server, execute the mount command below.

mount 192.168.1.25:/mnt/shared /nfs/shared
mount 192.168.1.25:/srv/data /nfs/data

The basic mount command for accessing NFS is by specifying the IP address of NFS server '192.168.1.25' with the path mount directory '/mnt/shared' and '/srv/data' and the target path on client-side '/nfs/shared' and '/nfs/data' directory.

Mount NFS Server

4. Next, execute the following command to verify the NFS mount is successful.

df -h

Also, you can check files that you just created on top by executing the following commands.

cat /nfs/shared/test-file.txt
cat /nfs/data/test-file.txt

Below is the output you will get.

Checking mount status

As can be seen, you've successfully mounted the NFS server to the '/nfs/shared' and '/nfs/data' directory, and you will be able to read files that you just created on top.

Verify Read and Write Access to the NFS Server

For this stage, you will be verifying the read and write access to the NFS server directory.

1. change the working directory to '/nfs/shared', check available files on that directory, and show the content of that file using the command as below.

cd /nfs/shared
ls

cat test-file.txt

Next, create a new file using the echo command below.

echo "This file from nfs-client" > client.txt
cat client.txt

If you're able to create the file 'client.txt', the write access to the NFS directory '/nfs/share' is successful, as described in the configuration below.

/mnt/shared    192.168.1.30(rw,sync,no_subtree_check)

Test write access NFS Sever

2. Next, at the configuration you've created on top, the cline tis only have the access to read to the NFS directory '/nfs/data', as you can see in the configuration below.

/srv/data        192.168.1.30(ro,no_root_squash)

Change the working directory to '/nfs/data', check files on it, check available files on that directory, and show the content of that file using the command as below.

cd /nfs/data
ls

cat test-file.txt

Next, if you want to create a new file, you will get an error 'Read-only file system'. Because you only have the permission to 'read-only' as described on top configuration.

echo "This is a file from client to data" > client-data.txt

Below is the similar output you will get.

Test write on read-only NFS Server

The read and write permission is matched with the current NFS server configuration.

Mount NFS on boot

For this stage, you will learn how to mount the NFS directory/partition at system boot/startup through the '/etc/fstab' configuration.

1. Edit the '/etc/fstab' configuration using nano editor.

nano /etc/fstab

Change details IP addresses, shared directory, and path mount directory with your own, then paste the configuration.

192.168.1.25:/mnt/shared        /nfs/shared   nfs auto,nofail,noatime,nolock,intr,tcp,actimeo=1800 0 0
192.168.1.25:/srv/data          /nfs/data     nfs auto,nofail,noatime,nolock,intr,tcp,actimeo=1800 0 0

Save the configuration by pressing the 'Ctrl+x' and type 'y', then press 'Enter' to exit.

2. Next, verify the '/etc/fstab' configuration is correct by using the following commands.

Umount all mount directory using the command below.

umount -R /nfs/shared
umount -R /nfs/data

Execute the following command to mount all available file-system on the '/etc/fstab' configuration file.

mount -a

Make sure you don't have any errors.

Now run the following command to show all mounted file systems.

df -h

If your configuration is correct, you will see the NFS server is mounted to the target directory as described at the '/etc/fstab' configuration.

Setting up NFS Server auto-mount with /etc/fstab

3. You can reboot the client machine and login again, then verify again using the command as below.

df -h

And you will see the NFS server is automatically munted at system boot on the client machine through the '/etc/fstab' file.

Conclusion

Congratulations! You've successfully installed the NFS Server on the latest Debian 11 Bullseye. Also, you've successfully secured the NFS Server deployment using the ufw firewall, setting up NFS client machines, and setting up auto-mount using the '/etc/fstab' configuration. For the next step, you may also be interested in the NFSv4 protocol, which provides security mechanisms such as encryption and authentication through the Kerberos server.

Share this page:

0 Comment(s)