topic Re: Restrict CIFS shares by one of the IP address of a filer in Network and Storage Protocols

Restrict CIFS shares by one of the IP address of a filer

renault — Fri, 02 Jun 2017 13:35:35 GMT

Hi all,

I would like to know if there is a way to do this :

- Add many IP adresses to a filer. Each IP from different VLANs

- Create cifs shares or NFS exports only accessible from one of theses adresses.

My idea is to

- Create a rule on the firewall to allow trafic between as set of Windows or Linux servers to oneof the IP adresses of the filer

- Allow data acces from this IP adress to a set of server on the filer.

I take a look at DOT 9 documentation and it seems an export policy may restrict access to qtree to a set of servers.

But I did not see that the IP used by the filer can be set too in a rule.

The only alternative should to create a SVM for each IP, but it's not very convenient

Thanks

MLD

Re: Restrict CIFS shares by one of the IP address of a filer

robinpeter — Fri, 02 Jun 2017 16:03:05 GMT

its possible to restrict the NAS protocol to restrict to a range or IP or a single IP

here is some example.

To Setup NFS Read-Write Access for the Client with IP Address 10.10.10.11, Use the following Export-Policy Rule.

::> vserver export-policy rule create -vserver nfs01 -policy nfspolicy -ruleindex 1 -protocol nfs -clientmatch 10.10.10.11 -rorule sys -rwrule sys

To Setup CIFS Read-Write Access for the Client with IP Address 10.10.10.11, Use the following Export-Policy Rule.

::> vserver export-policy rule create -vserver cifs01 -policy cifspolicy -ruleindex 1 -protocol cifs -clientmatch 10.10.10.11 -rorule ntlm,krb5 -rwrule ntlm,krb5

Hope that help..

Robin.

Re: Restrict CIFS shares by one of the IP address of a filer

renault — Tue, 06 Jun 2017 15:21:51 GMT

Thank you for your answer. But it does not answer to my needs :

To be more precise, I would like to be able to

- restrict CIFS share A to subnet 10.0.0.0/0

- restrict CIFS shares B to subnet 11.0.0.0/0

- restrict NFS export C to subnet 12.0.0.0./0 (in addtion of the exports file settings)

- restict NFS export D1 and CIFS share D1 on the same data to subnet 13.0.0.0/0

Thanks

Re: Restrict CIFS shares by one of the IP address of a filer

SVHO — Thu, 17 Aug 2017 23:32:10 GMT

Did you ever get an answer for this?

Thanks,
SVHO

Re: Restrict CIFS shares by one of the IP address of a filer

AlexDawson — Fri, 18 Aug 2017 04:54:34 GMT

For what the original poster is looking at - having a share only accessable on one of the systems' IP addresses, and not others, the best option is to create multiple SVMs - each will have its own AD account and can have totally seperate domain auth as well as IP ranges.

Re: Restrict CIFS shares by one of the IP address of a filer

Noorain02 — Fri, 12 Nov 2021 17:07:55 GMT

I do have one issue - if you can also help.

We have one SVM that has two cifs shares vol (one prod vol, one test vol) and requester has given 10 IPs for client access (export).

The requirement is to allow 5 IPs to test volume and 5 IPs to Prod volume so that If same user login from test server can only access or map test share not prod.

Action is been done- In the Prod vol export rule I have only allowed 5 IPs (prod) but other IPs (5 test IPs) are still able to access and map the prod share. How can I limit these IPs not to access my prod shares?