← Back to blogs
🗂️ Linux Networking Series

NFS Server Setup &
Client Mount Guide

Share directories across Linux systems over a network using NFS. Clients access remote files as if they were stored locally — set up once, mount everywhere.

nfs-kernel-server /etc/exports RPC Port 2049 fstab Mount UFW Firewall Erasure Coding

How NFS Works

NFS uses a simple three-step model: the server exports a directory, the client mounts it, and all communication flows over RPC on port 2049. Once mounted, the remote directory looks and behaves like a local folder.

🖥️
NFS Server
Exports /mnt/nfs_share
🔗
RPC / Port 2049
Network transport layer
💻
NFS Client
Mounts as /mnt/nfs_client
💡
SECTION 01

Core Concepts — Read This First

Before setting anything up, understand what NFS is and why the architecture works the way it does. This makes debugging much easier later.

What is NFS?

Network File System (NFS) is a protocol that allows one Linux machine (the server) to share a directory over the network, and another machine (the client) to mount and use it as if it were a local disk. No file copying needed — the client reads and writes directly on the server's storage.

🖥️ NFS Server

Owns the storage. Runs nfs-kernel-server. Defines which directories are shared via /etc/exports.

💻 NFS Client

Any machine that mounts the server's shared directory. Runs nfs-common. Sees the remote directory as a local folder.

🔗 RPC

NFS uses Remote Procedure Call for communication. Default port is 2049. Must be open in the firewall.

📤 Exports

The server's /etc/exports file controls which directories are shared and who can access them.

🎯
Real-world analogy The NFS server is like a shared network drive at an office. The client is like your laptop — you can open, edit, and save files on the shared drive without anything being stored on your own machine.
📋
SECTION 02

Prerequisites

Have these ready before starting. The setup requires at least two Linux machines — one as the server and one as the client — that can reach each other over the network.

  • Two Linux machines — Ubuntu/Debian recommended for both server and client
  • Network connectivity — the client must be able to ping the server IP
  • SSH access to both machines
  • Sudo privileges on both machines
  • Server IP address — you'll need this on the client side (note it down)
⚠️
Important: Server vs Client IP In /etc/exports, the IP address you specify is the client's IP — not the server's. This is a common point of confusion. The server is telling NFS: "allow this client IP to connect."
🖥️
SECTION 03

NFS Server Setup

Run all commands in this section on the NFS Server machine only.

01

Install the NFS Server Package

Install nfs-kernel-server — the core package that runs the NFS server daemon on Linux.

bash — NFS Server
sudo apt update
sudo apt install nfs-kernel-server -y
02

Create the Shared Directory

Create the directory that will be shared with clients. Then assign it to the nobody:nogroup user — a safe, unprivileged owner for shared NFS directories.

bash — NFS Server
# Create the share directory
sudo mkdir -p /mnt/nfs_share

# Assign to nobody:nogroup (safe unprivileged owner)
sudo chown nobody:nogroup /mnt/nfs_share

# Set permissions (read/write for owner, read for others)
sudo chmod 755 /mnt/nfs_share
⚠️
Never use chmod 777 in production. 777 gives full read/write/execute access to every user. Use 755 or more restrictive permissions and control access through /etc/exports instead.
03

Configure the Exports File

The /etc/exports file defines which directories are shared and who can access them. Open it with your editor and add one of the configurations below.

bash — NFS Server
sudo vim /etc/exports

Export Options — Choose One

Pick the export rule that matches your environment. Specific IP or subnet is always preferred over a wildcard.

/etc/exports — Allow entire subnet
# Allow all clients in the 192.168.1.0/24 subnet
/mnt/nfs_share 192.168.1.0/24(rw,sync,no_subtree_check)
/etc/exports — Allow single client IP
# Allow only a specific client machine
/mnt/nfs_share 192.168.1.10(rw,sync,no_subtree_check)
💡
What do the export options mean? rw — read and write access. sync — writes are committed to disk immediately before replying. no_subtree_check — improves reliability by disabling subtree permission checks (recommended for most setups).
⚠️
The IP is the CLIENT's IP — not the server's. In /etc/exports, you are specifying which client machines are allowed to mount this share. The server's own IP does not appear here.
04

Apply Export Configuration and Restart

Run exportfs -a to tell the NFS server to re-read its exports file, then restart the service to apply all changes.

bash — NFS Server
# Re-read and apply all exports
sudo exportfs -a

# Restart NFS server service
sudo systemctl restart nfs-kernel-server
05

Verify Active Exports

Confirm the server is exporting the correct directory with the correct options.

bash — NFS Server
# List all active NFS exports with options
sudo exportfs -v
ℹ️
You should see your /mnt/nfs_share listed with the client IP and options like rw,sync,no_subtree_check. If nothing appears, double-check the exports file for syntax errors.
💻
SECTION 04

NFS Client Setup

Run all commands in this section on the NFS Client machine. Replace <SERVER_IP> with the actual IP address of your NFS server.

01

Install the NFS Client Package

Install nfs-common — this provides the tools needed to mount NFS shares on the client side.

bash — NFS Client
sudo apt update
sudo apt install nfs-common -y
02

Create a Mount Point and Mount the Share

Create a local directory as the mount point, then mount the NFS share from the server. This mount is temporary — it will be lost on reboot. See Section 05 for permanent mounting.

bash — NFS Client
# Create local mount point directory
sudo mkdir -p /mnt/nfs_client

# Mount the NFS share (temporary — lost on reboot)
sudo mount <SERVER_IP>:/mnt/nfs_share /mnt/nfs_client
03

Verify the Mount

Confirm the NFS share is mounted correctly by checking disk usage. You should see the NFS share listed with the server IP in the filesystem column.

bash — NFS Client
# Check mounted filesystems (look for nfs entry)
df -h
🔁
SECTION 05

Permanent Mount via fstab

To make the NFS share survive reboots automatically, add an entry to /etc/fstab on the client machine.

01

Edit the fstab File

bash — NFS Client
sudo vim /etc/fstab

Add the following line at the bottom of the file:

/etc/fstab — Basic Entry
<SERVER_IP>:/mnt/nfs_share  /mnt/nfs_client  nfs  defaults,_netdev  0  0
/etc/fstab — Advanced Entry (recommended)
<SERVER_IP>:/mnt/nfs_share  /mnt/nfs_client  nfs  rw,sync,hard,intr,_netdev  0  0
02

Apply the fstab Configuration

bash — NFS Client
# Mount all entries in fstab (tests your entry)
sudo mount -a

Mount Options Explained

defaults Standard set of mount options — rw, suid, exec, auto, nouser, async
rw Read and write access to the mounted share
sync Writes committed to disk immediately — safer, slightly slower
hard Retries indefinitely if server goes down — recommended for stability
intr Allows the user to interrupt a hung NFS operation with Ctrl+C
_netdev Delays mount until network is available — critical for NFS in fstab
💡
Why is _netdev so important? Without it, the system tries to mount the NFS share before the network is ready during boot, causing the mount to fail silently or even hang the boot process.
🔒
SECTION 06

Firewall Configuration

NFS communicates on port 2049. Open this port on the server's firewall, restricted to the client IP only — never open it to the entire internet.

01

Allow NFS Port from Client IP

bash — NFS Server
# Allow only the client machine to reach NFS port
sudo ufw allow from <CLIENT_IP> to any port 2049

# Apply changes
sudo ufw reload
⚠️
Never open port 2049 globally. Using sudo ufw allow 2049 without a source IP exposes your NFS share to the entire internet. Always restrict by IP or subnet.
02

Allow by Subnet (Multi-Client Setup)

If you have multiple clients in the same subnet, allow the whole range instead of adding rules per-IP.

bash — NFS Server
# Allow entire subnet (e.g., 192.168.1.0/24)
sudo ufw allow from 192.168.1.0/24 to any port 2049
🧪
SECTION 07

Testing Your NFS Setup

Run these tests to confirm the share is working correctly end-to-end — both reading and writing across the network.

T1

Write a Test File from the Client

On the client, create a test file inside the mounted directory. This file will be written to the server's disk.

bash — NFS Client
# Create a test file via the NFS mount
touch /mnt/nfs_client/testfile
T2

Confirm the File Appears on the Server

On the server, list the shared directory. You should see the testfile created by the client — confirming read/write access works over NFS.

bash — NFS Server
# Confirm testfile exists on the server side
ls /mnt/nfs_share
💡
If the file appears on the server, your NFS setup is working correctly. The client wrote to its local mount path, and the data landed on the server's disk.
SECTION 08

Troubleshooting

If something isn't working, run through these diagnostic commands in order. Most NFS issues are caused by the service not running, a firewall block, or a misconfigured exports file.

D1

Check NFS Server Status

bash — NFS Server
systemctl status nfs-kernel-server
D2

Check Network Connectivity

From the client, ping the server. If this fails, the problem is network-level — not NFS.

bash — NFS Client
ping <SERVER_IP>
D3

List Available Shares from Client

If the server is reachable but the mount fails, check which shares are actually being exported.

bash — NFS Client
# Lists all NFS exports visible from this client
showmount -e <SERVER_IP>
ℹ️
If showmount returns nothing or errors, your exports file may have a syntax error, or the firewall is blocking port 2049.
D4

Check System Logs

bash — NFS Server or Client
# View recent system and NFS-related logs
journalctl -xe

Common Issues at a Glance

SymptomLikely CauseFix
Mount hangs or times out Firewall blocking port 2049 UFW rule missing
Permission denied on mount Client IP not in /etc/exports Check exports file
showmount returns nothing Syntax error in exports Re-run exportfs -a
NFS lost after reboot No fstab entry Add to /etc/fstab
Mount fails at boot Missing _netdev option Add _netdev to fstab
📌
SECTION 09

Best Practices

  • Restrict by IP or subnet — never use * as the allowed host in /etc/exports in production
  • Avoid chmod 777 — use 755 or stricter permissions, and control access through the exports file
  • Use hard mount option — prevents data loss if the server temporarily goes down
  • Always include _netdev in fstab — ensures the mount waits for the network on boot
  • Firewall all NFS ports — restrict port 2049 to known client IPs only
  • Use sync in exports — ensures data is written to disk before the server replies to the client
🎯
SECTION 10

Complete Working Example

A real-world reference using a concrete server IP (192.168.1.5) and a single trusted client (192.168.1.10).

🖥️ Server Details

📍 Server IP: 192.168.1.5
📁 Share path: /mnt/nfs_share
👤 Owner: nobody:nogroup
🔐 Permissions: 755

💻 Client Details

📍 Client IP: 192.168.1.10
📁 Mount path: /mnt/nfs_client
🔁 Permanent: /etc/fstab
🌐 Port open: 2049
Server — /etc/exports
/mnt/nfs_share 192.168.1.10(rw,sync,no_subtree_check)
Client — /etc/fstab
192.168.1.5:/mnt/nfs_share  /mnt/nfs_client  nfs  rw,sync,hard,intr,_netdev  0  0
Server — UFW Firewall
sudo ufw allow from 192.168.1.10 to any port 2049

What You've Built

  • NFS server exporting /mnt/nfs_share with secure ownership and permissions
  • Client mounting the share at /mnt/nfs_client with read/write access
  • Permanent mount via /etc/fstab — survives reboots automatically
  • Firewall restricted to the client IP on port 2049
  • Hard mount with _netdev for stability and boot safety
  • Production-ready NFS share with SPF-like access control via exports
🔜
Next Step: NFS with Kerberos For high-security environments, NFS v4 supports Kerberos (krb5) authentication — encrypting traffic and enforcing user identity. This is ideal when NFS is used across untrusted networks or multi-tenant systems.