Amanda-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: iptables and amanda

2005-08-05 13:08:27
Subject: Re: iptables and amanda
From: "Jason 'XenoPhage' Frisvold" <friz AT godshell DOT com>
To: Frank Smith <fsmith AT hoovers DOT com>
Date: Fri, 05 Aug 2005 12:50:07 -0400 
Frank Smith wrote:


amandad normally listens on UDP port 10080, so you need to add that



As in :

-A INPUT -s $amanda -p udp --dport 10080 -j ACCEPT
correct? Where $amanda is the IP address of the server? If this were not in the iptables config, and ip_conntrack_amanda were on, would it still allow it? I'm not competely familiar with the connection tracking modules.. I've been able to do most everything without them thus far.. Although, it's looking like I'll definitely need them for stuff like amanda, ftp, and nfs.. (Not sure if there is an nfs module tho) 


There were a few early 2.6 kernel versions (soon after the Amanda code was 
added into
iptables) where the Amanda iptables module was broken and all backups would 
fail even
if you had no rules defined (i.e., were accepting all packets in and out).
Hrm.. I would *hope* that redhat updated their distro with the fixes.. I'm running the latest RHES 4.0 packages.. 


Did your 'LOG' rules log any packets that would be dropped?
Nope. And that cause more confusion than you know.. I kept thinking it was the tape drive and not the firewall.. I spent countless hours testing and re-testing that tape drive... :P 


If you are using one of the broken kernels and can't upgrade, you can do what 
we did
before it was part of iptables and use these rules (along with your 
'ESTABLISHED' rules:

# Amanda backups
-A INPUT -p udp -s $amanda --dport 10080 -j ACCEPT
-A INPUT -p tcp -s $amanda --dport 1024:65534 -j ACCEPT

if you use the default build. You can also configure Amanda with the 
tcpportrange and
udpportrange options and narrow down the range of open ports (although if it is 
only
open to the Amanda server it is not as big an issue).
I'll look at using these rules if I can't get the connection tracking to work.. And, again, in your example, $amanda is the server IP, right? 


--
Frank Smith                                                fsmith AT hoovers 
DOT com
Sr. Systems Administrator                                 Voice: 512-374-4673
Hoover's Online                                             Fax: 512-374-4501


Thanks for the info!!!!!
As an aside.. Did you get multiple copies of my first email? I got 2 myself, and 4 copies of your reply.. *boggle* 

Jason
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: iptables and amanda, Frank Smith
Next by Date:  Re: iptables and amanda, Jason 'XenoPhage' Frisvold
Previous by Thread:  Re: iptables and amanda, Frank Smith
Next by Thread:  Re: iptables and amanda, Frank Smith
Indexes:  [Date] [Thread] [Top] [All Lists]