Protect portmap with iptables
The portmap service is a dynamic port assignment daemon for RPC services such as NIS and NFS. It has weak authentication mechanisms and has the ability to assign a wide range of ports for the services it controls. For these reasons, it is difficult to secure.
If you are running RPC services, you should follow some basic rules.
Below is are two example iptables commands that allow TCP connections to the portmap service (listening on port 111) from the 192.168.0/24 network and from the localhost, All other packets are dropped.
#iptables -A INPUT -p tcp -s! 192.168.0.0/24 –dport 111 -j DROP
#iptables -A INPUT -p tcp -s 127.0.0.1 –dport 111 -j ACCEPT
To similarly limit UDP traffic, use the following command.
#iptables -A INPUT -p udp -s! 192.168.0.0/24 –dport 111 -j DROP