Amanda-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: iptables and amanda

2005-08-04 23:57:24
Subject: Re: iptables and amanda
From: Frank Smith <fsmith AT hoovers DOT com>
To: "Jason 'XenoPhage' Frisvold" <friz AT godshell DOT com>, amanda-users AT amanda DOT org
Date: Thu, 04 Aug 2005 22:44:43 -0500 
--On Thursday, August 04, 2005 22:26:35 -0400 Jason 'XenoPhage' Frisvold <friz 
AT godshell DOT com> wrote:

> Greetings,
> 
> I'm been struggling a bit with amanda and iptables.  I can't seem to get
> them to play nice.  I'm aware of the ip_conntrack_amanda module, so I
> loaded that.  I then crafted my iptables like this :
> 
> *filter
> :INPUT DROP [3:431]
> :FORWARD DROP [0:0]
> :OUTPUT DROP [0:0]
># Input Chain
># SSH and Amanda from Server Farm
> -A INPUT -s 192.168.0.0/255.255.255.0 -p tcp -m multiport --dport
> 22,10082,10083 -j ACCEPT

amandad normally listens on UDP port 10080, so you need to add that

># Established sessions
> -A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
># Reject ICMP from unauthorized hosts
> -A INPUT -p icmp -j REJECT --reject-with icmp-port-unreachable
># Log everything else
> -A INPUT -j LOG --log-prefix "FIREWALL "
> 
># Output chain
># Established Sessions
> -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
> -A OUTPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
> -A OUTPUT -p udp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
># Log everything else
> -A OUTPUT -j LOG --log-prefix "FIREWALL "
> COMMIT
> 
> 
> Local backups on the server work fine.  However, client backups fail. 
> Checking the logs on the client, I see this in the sendbackup log :
> 
> sendbackup: try_socksize: send buffer size is 65536
> sendbackup: time 0.001: stream_server: waiting for connection: 0.0.0.0.54803
> sendbackup: time 0.001: stream_server: waiting for connection: 0.0.0.0.54804
> sendbackup: time 0.001: stream_server: waiting for connection: 0.0.0.0.54805
> sendbackup: time 0.001: waiting for connect on 54803, then 54804, then 54805
> sendbackup: time 29.993: stream_accept: timeout after 30 seconds
> sendbackup: time 29.994: timeout on data port 54803
> sendbackup: time 59.986: stream_accept: timeout after 30 seconds
> sendbackup: time 59.986: timeout on mesg port 54804
> sendbackup: time 89.979: stream_accept: timeout after 30 seconds
> sendbackup: time 89.979: timeout on index port 54805
> sendbackup: time 89.979: pid 13884 finish time Thu Aug  4 21:46:25 2005
> 
> So, I disabled iptables entirely on the server.  Backup worked fine.  I
> then tried adding an allow all line to the iptables config like this :
> 
> -A INPUT -s 192.168.0.0/255.255.255.0 -j ACCEPT
> 
> That didn't work.  So, I removed ip_conntrack_amanda and tried again. 
> Successful backup.
> 
> So is there just a major problem with ip_conntrack_amanda, or am I not
> using it right?  How should I set up iptables to handle this?

There were a few early 2.6 kernel versions (soon after the Amanda code was 
added into
iptables) where the Amanda iptables module was broken and all backups would 
fail even
if you had no rules defined (i.e., were accepting all packets in and out).

Did your 'LOG' rules log any packets that would be dropped?

If you are using one of the broken kernels and can't upgrade, you can do what 
we did
before it was part of iptables and use these rules (along with your 
'ESTABLISHED' rules:

# Amanda backups
-A INPUT -p udp -s $amanda --dport 10080 -j ACCEPT
-A INPUT -p tcp -s $amanda --dport 1024:65534 -j ACCEPT

if you use the default build. You can also configure Amanda with the 
tcpportrange and
udpportrange options and narrow down the range of open ports (although if it is 
only
open to the Amanda server it is not as big an issue).

> 
> Thanks!
> 
> -- 
> ---------------------------
> Jason 'XenoPhage' Frisvold
> Engine / Technology Programmer
> friz AT godshell DOT com
> RedHat Certified - RHCE # 803004140609871
> MySQL Pro Certified - ID# 207171862
> MySQL Core Certified - ID# 205982910

You wouldn't happen to know anyone looking for a MySQL DBA position, would you?

Frank

> ---------------------------
> "Something mysterious is formed, born in the silent void. Waiting alone and 
> unmoving, it is at once still and yet in constant motion. It is the source of 
> all programs. I do not know its name, so I will call it the Tao of 
> Programming."



--
Frank Smith                                                fsmith AT hoovers 
DOT com
Sr. Systems Administrator                                 Voice: 512-374-4673
Hoover's Online                                             Fax: 512-374-4501
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  iptables and amanda, Jason 'XenoPhage' Frisvold
Next by Date:  Re: iptables and amanda, Jason 'XenoPhage' Frisvold
Previous by Thread:  iptables and amanda, Jason 'XenoPhage' Frisvold
Next by Thread:  Re: iptables and amanda, Jason 'XenoPhage' Frisvold
Indexes:  [Date] [Thread] [Top] [All Lists]