--On Friday, January 07, 2005 14:05:19 -0500 "Michael J. Pawlowsky" <mikep AT
mikeathome DOT net> wrote:
> I'm trying to back up a remote server.
>
> On both machines (FC3) I am loading the ip_conntrack_amanda module for
> IPTables.
>
> I have the following in my iptables.
>
> ACCEPT udp -- 192.168.5.0/24 anywhere udp dpt:amanda
> ACCEPT tcp -- 192.168.5.0/24 anywhere tcp dpt:amanda
>
> So port 10080 upd and tcp are open on both machine.
I don't think it uses 1080 tcp. I believe the requests from
the server connect to the client on 1080 udp, when the client
needs to respond to the server it connects to the server on
1080 udp and tells the server what tcp port the server needs
to connect to on the client to get the dumps (by default it
can be anywhere between 1024 and 65535). Actually it will
first try to use something within tcpportrange (if defined)
and the a low port (which will fail on most OS's since Amanda
should be running as a non-priviledged user) and then try
a random high port.
>
> It can calculate the estimate, but the data never dumps.
> If I turn off the firewall it works, so I'm guessing I'm just missing some
> rule?
>
> Can someone tell me which one?
Do you have a rule allowing 'related' traffic? If not, the
return connection won't be accepted.
Also, on a range of kernel versions, the Amanda conntrack module
was broken, causing the problem you see. It was supposed to have
been fixed at one point and then possibly broken again.
Try runnning tcpdump on the client and server to see where the
packets disappear. You may need to unload the amanda conntrack
module or build a different kernel version that works (sorry, I
don't know for sure which ones do, try looking in the archives).
If your conntrack module is non-working and replacing the kernel
isn't an option, you can not use conntrack and add rules to allow
the tcp connections to the clients. Either allow acces to all
high tcp ports from the Amanda server, or, if that is too big a
hole to open, recompile Amanda with the udpportrange and
tcpportrange options to limit the open ports used. Check
docs/PORT.USAGE for details.
Good luck,
Frank
>
> Thanks,
> Mike
>
>
>
--
Frank Smith fsmith AT hoovers DOT com
Sr. Systems Administrator Voice: 512-374-4673
Hoover's Online Fax: 512-374-4501
|