Amanda-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: iptables and amanda

2005-08-05 13:35:26
Subject: Re: iptables and amanda
From: Frank Smith <fsmith AT hoovers DOT com>
To: "Jason 'XenoPhage' Frisvold" <friz AT godshell DOT com>
Date: Fri, 05 Aug 2005 12:29:47 -0500 
--On Friday, August 05, 2005 13:05:53 -0400 Jason 'XenoPhage' Frisvold <friz AT 
godshell DOT com> wrote:

> Frank Smith wrote:
> 
>> amandad normally listens on UDP port 10080, so you need to add that
>>  
>> 
> 
> Actually, I think I have this covered :
> 
> -A INPUT -s 204.10.167.0/255.255.255.192 -p udp -m multiport --ports 10080 -j 
> ACCEPT

If that was in your original post I overlooked it, I only saw a rule for TCP.
Also, if you're only allowing one port in a rule you don't need multiport, but
I don't know if it is an error to call it with just a single port.
> 
>> If you are using one of the broken kernels and can't upgrade, you can do 
>> what we did
>> before it was part of iptables and use these rules (along with your 
>> 'ESTABLISHED' rules:
>> 
>># Amanda backups
>> -A INPUT -p udp -s $amanda --dport 10080 -j ACCEPT
>> -A INPUT -p tcp -s $amanda --dport 1024:65534 -j ACCEPT
>>  
>> 
> 
> I tried adding that second rule, albeit the connection module was enabled.  
> Still got this in the sendbackup log :
> 
> sendbackup: time 0.000: stream_server: waiting for connection: 0.0.0.0.40449
> sendbackup: time 0.000: stream_server: waiting for connection: 0.0.0.0.40450
> sendbackup: time 0.000: stream_server: waiting for connection: 0.0.0.0.40451
> sendbackup: time 0.000: waiting for connect on 40449, then 40450, then 40451
> sendbackup: time 29.992: stream_accept: timeout after 30 seconds
> sendbackup: time 29.992: timeout on data port 40449
> sendbackup: time 59.984: stream_accept: timeout after 30 seconds
> sendbackup: time 59.984: timeout on mesg port 40450
> sendbackup: time 89.977: stream_accept: timeout after 30 seconds
> sendbackup: time 89.977: timeout on index port 40451
> sendbackup: time 89.977: pid 6891 finish time Fri Aug  5 13:00:46 2005
> 
> Turned off the tracking module and it worked.  I guess that's the issue 
> then..  :(  I'd much rather have that module working, but oh well...  *sigh*

See also me comment from my reply a few minutes ago about RELATED before you
give up on it.

Frank

> 
>> if you use the default build. You can also configure Amanda with the 
>> tcpportrange and
>> udpportrange options and narrow down the range of open ports (although if it 
>> is only
>> open to the Amanda server it is not as big an issue).
>>  
>> 
> 
> I think I'll give this a shot..  I don't like leaving ports wide open, even 
> when they're limited to my own servers...
> 
> Jason



-- 
Frank Smith                                      fsmith AT hoovers DOT com
Sr. Systems Administrator                       Voice: 512-374-4673
Hoover's Online                                   Fax: 512-374-4501
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: iptables and amanda, Frank Smith
Next by Date:  TapeTypes definition affecting wear?, Dan Brown
Previous by Thread:  Re: iptables and amanda, Jason 'XenoPhage' Frisvold
Next by Thread:  TapeTypes definition affecting wear?, Dan Brown
Indexes:  [Date] [Thread] [Top] [All Lists]