nfs v4 mount failing with operation not permitted over ssh tunnel

I have two Ubuntu Linux machines. One server and other client. The server is hosting a nfs v4 server sharing the /nfs-share directory.

I am attempting nfs v4 mount over ssh tunnel for the following reasons:

• confidentiality
• simplicity
• no need to open nfs ports on firewalld
• access control : users having access to ssh can mount the nfs share

I have chosen nfs v4 specifically to avoid the need for rpcbind, statd, mountd etc which would require aditional ports for nfs v3 to work.

/etc/exports: —————————————————

/nfs-share *(sec=sys,rw,sync,no_subtree_check,all_squash,anonuid=65534,anongid=65534) 

The above is the only exported directory from the server.

I have verified mount of the nfs directory both from local node (i.e. server) as well as client and all works perfectly fine…

However, when I attempt the nfs mount over a ssh tunnel I get the error: Operation not permitted. And this issue is observed even when I create a local ssh tunnelon server from port 2049 to 4049 as well.

This is how I have tried setting up the tunnel from the client: —————————————————————————————

root@client:~# ssh -fqNTL 127.0.0.1:2049:127.0.0.1:2049 [email protected] root@client:~# mount -vvv -o vers=4,proto=tcp 127.0.0.1:/nfs-share /mnt mount.nfs: timeout set for Thu Dec 12 22:40:45 2024 mount.nfs: trying text-based options 'proto=tcp,vers=4.2,addr=127.0.0.1,clientaddr=127.0.0.1' mount.nfs: mount(2): Operation not permitted mount.nfs: Operation not permitted 

And also the following way: —————————————————————————————————————

root@client:~# ssh -fqNTL 127.0.0.1:4049:127.0.0.1:2049 [email protected] root@client:~# mount -vvv -o vers=4,proto=tcp,port=4049 127.0.0.1:/nfs-share /mnt mount.nfs: timeout set for Thu Dec 12 22:42:34 2024 mount.nfs: trying text-based options 'proto=tcp,port=4049,vers=4.2,addr=127.0.0.1,clientaddr=127.0.0.1' mount.nfs: mount(2): Operation not permitted mount.nfs: Operation not permitted I have also verified with tcpdump that the nfs client’s requests are actually reaching the server: ———————————————————————————————————————————————— root@server:~# tcpdump -vv -i any dst port 2049 tcpdump: data link type LINUX_SLL2 tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes 22:42:30.128843 lo In IP (tos 0x0, ttl 64, id 24532, offset 0, flags [DF], proto TCP (6), length 60) localhost.51734 > localhost.nfs: Flags [S], cksum 0xfe30 (incorrect -> 0x4d2d), seq 2290211965, win 65495, options [mss 65495,sackOK,TS val 2614046702 ecr 0,nop,wscale 7], length 0 22:42:30.129019 lo In IP (tos 0x0, ttl 64, id 24533, offset 0, flags [DF], proto TCP (6), length 52) localhost.51734 > localhost.nfs: Flags [.], cksum 0xfe28 (incorrect -> 0x54f2), seq 2290211966, ack 812262091, win 512, options [nop,nop,TS val 2614046702 ecr 2614046702], length 0 22:42:30.130879 lo In IP (tos 0x0, ttl 64, id 24534, offset 0, flags [DF], proto TCP (6), length 96) localhost.51734 > localhost.nfs: Flags [P.], cksum 0xfe54 (incorrect -> 0x2f49), seq 0:44, ack 1, win 512, options [nop,nop,TS val 2614046704 ecr 2614046702], length 44: NFS request xid 1800123220 40 null 22:42:30.131151 lo In IP (tos 0x0, ttl 64, id 24535, offset 0, flags [DF], proto TCP (6), length 52) localhost.51734 > localhost.nfs: Flags [.], cksum 0xfe28 (incorrect -> 0x54a6), seq 44, ack 29, win 512, options [nop,nop,TS val 2614046704 ecr 2614046704], length 0 

What is going on wrong and how can I make it work?