Amanda-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Problem with ip_nat_amanda

2003-06-13 04:51:43
Subject: Problem with ip_nat_amanda
From: Alessandro Prete <alessandro.prete AT polial.polito DOT it>
To: amanda-users AT amanda DOT org
Date: Fri, 13 Jun 2003 10:46:47 +0200 
Hi All,
I have a problem running Amanda in my NAT environment using Netfilter
ip_nat_amanda module.

During the last weeks, I have written to the mailing list of netfilter
users group but I have not had answer, then I have written to the same
author of the module, which has answered me not to have much more time
to dedicate to this plan, now I'm writing to you, hoping in some good
suggestion...


Please, take a look to the following text. Can you figure out what wrong
thing is going on?

Thank you very much,
        Alessandro


-----(this is the email i have written to netfiler user group)

Hi all,

I’m going into troubles using the new ip_nat_amanda module, it seems to
correctly translate my internal IP into the nat-ext if. IP with “master
connections” (UDP port 10080), but no translation is done for the TCP
ones, as you can see from sendbackup log. Now Amanda works if the client
on the external net knows how to reach the IP of the internal server,
this is good, but not very elegant for a nat implementation.
All machines use Kernel is 2.4.20-13.8 from RHNet, but I have made a
custom and patched 2.4.20-9 and found the same problem.
I am thinking on a problem of the ip_nat_amanda module because otherwise
my nat works great.
Can someone help me?

Thank,
           Alessandro


Network diagram:

amanda client
       |
       | nat-ext. if.
     nat
       | nat-int. if.
       | 192.168.1.1
amanda server

iptables script:

...

FWD=`cat /proc/sys/net/ipv4/ip_forward`
echo "0" > /proc/sys/net/ipv4/ip_forward

echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

echo 0 > /proc/sys/net/ipv4/conf/all/log_martians

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout

echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl


$IPTABLES -P OUTPUT  DROP
$IPTABLES -P INPUT   DROP
$IPTABLES -P FORWARD DROP


MODULE_DIR="/lib/modules/`uname -r`/kernel/net/ipv4/netfilter/"
MODULES=`(cd $MODULE_DIR; ls *_conntrack_*  *_nat_* | sed 's/\.o.*$//')`
for module in $(echo $MODULES); do
 if $LSMOD | grep ${module} >/dev/null; then continue; fi
 if [ -e "${MODULE_DIR}/${module}.o" -o -e
"${MODULE_DIR}/${module}.o.gz" ]; then
   $MODPROBE ${module} ||  exit 1
 fi
done


#
#  Rule 0(NAT)
#
#
$IPTABLES -t nat -A PREROUTING  -p tcp  -s 192.168.1.0/24
--destination-port 80 -j REDIRECT --to-ports 8080
#
#  Rule 1(NAT)
#
#
$IPTABLES -t nat -A POSTROUTING -o eth0  -s 192.168.1.0/24 -j SNAT
--to-source <nat-ext. if>
#
#


$IPTABLES -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

...

# Rule 1(global)
#
#
$IPTABLES -A INPUT -p tcp  -m multiport  -s <nat-ext. if>
--destination-ports 80,443,53,22,25  -m state --state NEW  -j ACCEPT
$IPTABLES -A INPUT -p tcp  -m multiport  -s 192.168.0.2
--destination-ports 80,443,53,22,25  -m state --state NEW  -j ACCEPT
$IPTABLES -N Cid3DE1F6A4.0
$IPTABLES -A INPUT -p udp  -m multiport  --destination-ports 53,123  -m
state --state NEW  -j Cid3DE1F6A4.0
$IPTABLES -A Cid3DE1F6A4.0  -s <nat-ext. if>  -m state --state NEW  -j
ACCEPT
$IPTABLES -A Cid3DE1F6A4.0  -s 192.168.0.2  -m state --state NEW  -j ACCEPT
$IPTABLES -A OUTPUT -p tcp  -m multiport  --destination-ports
80,443,53,22,25  -m state --state NEW  -j ACCEPT
$IPTABLES -A OUTPUT -p udp  -m multiport  --destination-ports 53,123  -m
state --state NEW  -j ACCEPT

...
# Rule 8(global)
#
$IPTABLES -N RULE_8
$IPTABLES -A INPUT  -s 192.168.1.0/24  -m state --state NEW  -j RULE_8
$IPTABLES -A RULE_8   -m limit --limit 5/second -j LOG  --log-level info
--log-prefix "RULE 8 -- ACCEPT "
$IPTABLES -A RULE_8  -j ACCEPT
# Rule 13(global)
#
#
$IPTABLES -A INPUT  -s 192.168.1.0/24  -m state --state NEW  -j ACCEPT
$IPTABLES -A OUTPUT  -s 192.168.1.0/24  -m state --state NEW  -j ACCEPT
$IPTABLES -A FORWARD  -s 192.168.1.0/24  -m state --state NEW  -j ACCEPT
#
# Rule 14(global)
#
$IPTABLES -N RULE_14
$IPTABLES -A OUTPUT  -j RULE_14
$IPTABLES -A INPUT  -j RULE_14
$IPTABLES -A FORWARD  -j RULE_14
$IPTABLES -A RULE_14   -m limit --limit 5/second -j LOG  --log-level
info --log-prefix "RULE 14 -- DROP "
$IPTABLES -A RULE_14  -j DROP
#
#
echo 1 > /proc/sys/net/ipv4/ip_forward




----- amandad log:

amandad: debug 1 pid 17674 ruid 33 euid 33 start time Fri May 23
21:00:00 2003
amandad: version 2.4.2p2
amandad: build: VERSION="Amanda-2.4.2p2"
amandad:        BUILT_DATE="Sun Jun 23 09:39:09 EDT 2002"
amandad:        BUILT_MACH="Linux perf90.perf.redhat.com 2.4.18-5smp #1
SMP Mon Jun 10 15:19:40 EDT 2002 i686 unknown"
amandad:        CC="gcc"
amandad: paths: bindir="/usr/bin" sbindir="/usr/sbin"
amandad:        libexecdir="/usr/lib/amanda" mandir="/usr/share/man"
amandad:        AMANDA_TMPDIR="/tmp/amanda" AMANDA_DBGDIR="/tmp/amanda"
amandad:        CONFIG_DIR="/etc/amanda" DEV_PREFIX="/dev/"
amandad:        RDEV_PREFIX="/dev/r" DUMP="/sbin/dump"
amandad:        RESTORE="/sbin/restore" SAMBA_CLIENT="/usr/bin/smbclient"
amandad:        GNUTAR="/bin/tar" COMPRESS_PATH="/bin/gzip"
amandad:        UNCOMPRESS_PATH="/bin/gzip" MAILER="/usr/bin/Mail"
amandad:        listed_incr_dir="/var/lib/amanda/gnutar-lists"
amandad: defs:  DEFAULT_SERVER="localhost" DEFAULT_CONFIG="DailySet1"
amandad:        DEFAULT_TAPE_SERVER="localhost"
amandad:        DEFAULT_TAPE_DEVICE="/dev/null" HAVE_MMAP HAVE_SYSVSHM
amandad:        LOCKING=POSIX_FCNTL SETPGRP_VOID DEBUG_CODE
amandad:        AMANDA_DEBUG_DAYS=4 BSD_SECURITY USE_AMANDAHOSTS
amandad:        CLIENT_LOGIN="amanda" FORCE_USERID HAVE_GZIP
amandad:        COMPRESS_SUFFIX=".gz" COMPRESS_FAST_OPT="--fast"
amandad:        COMPRESS_BEST_OPT="--best" UNCOMPRESS_OPT="-dc"
got packet:
--------
Amanda 2.4 REQ HANDLE 005-10680608 SEQ 1053716405
SECURITY USER amanda
SERVICE sendsize
OPTIONS maxdumps=5;hostname=<amanda client>;
GNUTAR / 0 1970:1:1:0:0:0 -1 exclude-file=./amhdisk
GNUTAR / 1 2003:5:21:19:7:10 -1 exclude-file=./amhdisk
--------

sending ack:
----
Amanda 2.4 ACK HANDLE 005-10680608 SEQ 1053716405
----

bsd security: remote host <nat-ext.if> user amanda local user amanda
amandahosts security check passed
amandad: running service "/usr/lib/amanda/sendsize"
amandad: sending REP packet:
----
Amanda 2.4 REP HANDLE 005-10680608 SEQ 1053716405
OPTIONS maxdumps=5;
/ 0 SIZE 5145230
/ 1 SIZE 2825450
----

amandad: got packet:
----
Amanda 2.4 ACK HANDLE 005-10680608 SEQ 1053716405
----

amandad: pid 17674 finish time Fri May 23 21:01:38 2003


------ sendbackup log:

sendbackup: debug 1 pid 17707 ruid 33 euid 33 start time Fri May 23
21:07:05 2003

/usr/lib/amanda/sendbackup: version 2.4.2p2
sendbackup: got input request: GNUTAR / 1 2003:5:21:19:7:10 OPTIONS
|;bsd-auth;compress-fast;index;exclude-file=./amhdisk;
 parsed request as: program `GNUTAR'
                    disk `/'
                    lev 1
                    since 2003:5:21:19:7:10
                    opt
`|;bsd-auth;compress-fast;index;exclude-file=./amhdisk;'
sendbackup: try_socksize: send buffer size is 65536
sendbackup: stream_server: waiting for connection: 0.0.0.0.41834
sendbackup: stream_server: waiting for connection: 0.0.0.0.41835
sendbackup: stream_server: waiting for connection: 0.0.0.0.41836
 waiting for connect on 41834, then 41835, then 41836
sendbackup: stream_accept: connection from 192.168.1.1.33517
<--------------------- instead of <nat-ext.if>
sendbackup: stream_accept: connection from 192.168.1.1.33521
<--------------------- instead of <nat-ext.if>
sendbackup: stream_accept: connection from 192.168.1.1.33524
<--------------------- instead of <nat-ext.if>
got all connections
sendbackup: spawning /bin/gzip in pipeline
sendbackup: argument list: /bin/gzip --fast
sendbackup-gnutar: pid 17708: /bin/gzip --fast
sendbackup-gnutar: doing level 1 dump as listed-incremental from
/var/lib/amanda/gnutar-lists/<amanda client>__0 to
/var/lib/amanda/gnutar-lists/<amanda client>__1.new
sendbackup-gnutar: doing level 1 dump from date: 2003-05-21 19:07:11 GMT
sendbackup: spawning /usr/lib/amanda/runtar in pipeline
sendbackup: argument list: gtar --create --file - --directory /
--one-file-system --listed-incremental
/var/lib/amanda/gnutar-lists/<amanda client>__1.new --sparse
--ignore-failed-read --totals --exclude ./amhdisk .
sendbackup: started index creator: "/bin/tar -tf - 2>/dev/null | sed -e
's/^\.//'"
sendbackup-gnutar: /usr/lib/amanda/runtar: pid 17710
sendbackup: index created successfully
sendbackup: pid 17707 finish time Fri May 23 21:28:18 2003
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • Problem with ip_nat_amanda, Alessandro Prete <=
Previous by Date:  Re: Q: Backing up Netware3 via ncpfs?, Dave Ewart
Next by Date:  DAMPING!!, bilgi
Previous by Thread:  chg-zd-mtx for TSL-9000, Jim Rowan
Next by Thread:  DAMPING!!, bilgi
Indexes:  [Date] [Thread] [Top] [All Lists]