Amanda-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: IPTables Rules for amanda.

2005-01-07 19:48:53
Subject: Re: IPTables Rules for amanda.
From: Frank Smith <fsmith AT hoovers DOT com>
To: mikep AT mikeathome DOT net, amanda-users AT amanda DOT org
Date: Fri, 07 Jan 2005 18:40:52 -0600 
--On Friday, January 07, 2005 14:05:19 -0500 "Michael J. Pawlowsky" <mikep AT 
mikeathome DOT net> wrote:

> I'm trying to back up a remote server.
> 
> On both machines (FC3) I am loading  the ip_conntrack_amanda module for 
> IPTables.
> 
> I have the following in my iptables.
> 
> ACCEPT     udp  --  192.168.5.0/24       anywhere            udp dpt:amanda
> ACCEPT     tcp  --  192.168.5.0/24       anywhere            tcp dpt:amanda
> 
> So port 10080 upd and tcp are open on both machine.

I don't think it uses 1080 tcp.  I believe the requests from
the server connect to the client on 1080 udp, when the client
needs to respond to the server it connects to the server on
1080 udp and tells the server what tcp port the server needs
to connect to on the client to get the dumps (by default it
can be anywhere between 1024 and 65535).  Actually it will
first try to use something within tcpportrange (if defined)
and the a low port (which will fail on most OS's since Amanda
should be running as a non-priviledged user) and then try
a random high port.

> 
> It can calculate the estimate, but the data never dumps.
> If I turn off the firewall it works, so I'm guessing I'm just missing some 
> rule?
> 
> Can someone tell me which one?

Do you have a rule allowing 'related' traffic?  If not, the
return connection won't be accepted.

Also, on a range of kernel versions, the Amanda conntrack module
was broken, causing the problem you see.  It was supposed to have
been fixed at one point and then possibly broken again.

Try runnning tcpdump on the client and server to see where the
packets disappear.  You may need to unload the amanda conntrack
module or build a different kernel version that works (sorry, I
don't know for sure which ones do, try looking in the archives).

If your conntrack module is non-working and replacing the kernel
isn't an option, you can not use conntrack and add rules to allow
the tcp connections to the clients.  Either allow acces to all
high tcp ports from the Amanda server, or, if that is too big a
hole to open, recompile Amanda with the udpportrange and
tcpportrange options to limit the open ports used.  Check
docs/PORT.USAGE for details.

Good luck,
Frank


> 
> Thanks,
> Mike
> 
> 
> 



-- 
Frank Smith                                      fsmith AT hoovers DOT com
Sr. Systems Administrator                       Voice: 512-374-4673
Hoover's Online                                   Fax: 512-374-4501
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: amrestore problem, headers ok but no data, Eric Siegerman
Next by Date:  Re: IPTables Rules for amanda., Michael J. Pawlowsky
Previous by Thread:  IPTables Rules for amanda., Michael J. Pawlowsky
Next by Thread:  Re: IPTables Rules for amanda., Michael J. Pawlowsky
Indexes:  [Date] [Thread] [Top] [All Lists]