Re: iptables and amanda

--On Friday, August 05, 2005 12:50:07 -0400 Jason 'XenoPhage' Frisvold <friz AT 
godshell DOT com> wrote:

> Frank Smith wrote:
> 
>> amandad normally listens on UDP port 10080, so you need to add that
>> 
> 
> As in :
> 
> -A INPUT -s $amanda -p udp --dport 10080 -j ACCEPT
> 
> correct?  Where $amanda is the IP address of the server?  If this were not in 
> the iptables config, and ip_conntrack_amanda were on, would it still allow 
> it?  I'm not competely familiar with the connection tracking modules..  I've 
> been able to do most
> everything without them thus far..  Although, it's looking like I'll 
> definitely need them for stuff like amanda, ftp, and nfs..  (Not sure if 
> there is an nfs module tho)

Yes, $amanda is the IP address of the server, I was pasting a line out of one
of my home machines and didn't explain the variable (iptables rules become
simpler to manage if you make your IPs and networks variables.  Not only is
it easier to change, you won't typo a single IP in one rule and spend hours
trying to figure out why it isn't working propoerly).
  The various conntrack modules work by relating activity on various ports.
For example, the if the ftp conntrack  modules is installed, after a connection
is made to port 21 it will allow the reverse data conection from the remote IP,
but only if a) you have a RELATED accept rule, and b) if you allow the incoming
packets to port 21 in the first place.
  I don't recall if you had ESTABLISHED,RELATED or just ESTABLISHED in your
rules, if only ESTABLISHED then none of the conntract modules will work.

> 
>> There were a few early 2.6 kernel versions (soon after the Amanda code was 
>> added into
>> iptables) where the Amanda iptables module was broken and all backups would 
>> fail even
>> if you had no rules defined (i.e., were accepting all packets in and out).
>>  
>> 
> 
> Hrm..  I would *hope* that redhat updated their distro with the fixes..  I'm 
> running the latest RHES 4.0 packages..

Wouldn't know, I'm a Debian person who always builds custom kernels anyway.

> 
>> Did your 'LOG' rules log any packets that would be dropped?
>>  
>> 
> 
> Nope.  And that cause more confusion than you know..  I kept thinking it was 
> the tape drive and not the firewall..  I spent countless hours testing and 
> re-testing that tape drive...  :P
> 
>> If you are using one of the broken kernels and can't upgrade, you can do 
>> what we did
>> before it was part of iptables and use these rules (along with your 
>> 'ESTABLISHED' rules:
>> 
>># Amanda backups
>> -A INPUT -p udp -s $amanda --dport 10080 -j ACCEPT
>> -A INPUT -p tcp -s $amanda --dport 1024:65534 -j ACCEPT
>> 
>> if you use the default build. You can also configure Amanda with the 
>> tcpportrange and
>> udpportrange options and narrow down the range of open ports (although if it 
>> is only
>> open to the Amanda server it is not as big an issue).
>>  
>> 
> 
> I'll look at using these rules if I can't get the connection tracking to 
> work..  And, again, in your example, $amanda is the server IP, right?

Yes.

> Thanks for the info!!!!!
> 
> As an aside..  Did you get multiple copies of my first email?  I got 2 
> myself, and 4 copies of your reply..  *boggle*

Yep, I saw two copies as well, but only replied once.

Frank
> 
> Jason



-- 
Frank Smith                                      fsmith AT hoovers DOT com
Sr. Systems Administrator                       Voice: 512-374-4673
Hoover's Online                                   Fax: 512-374-4501