Re: iptables and amanda
2005-08-05 13:35:26
--On Friday, August 05, 2005 13:05:53 -0400 Jason 'XenoPhage' Frisvold <friz AT
godshell DOT com> wrote:
> Frank Smith wrote:
>
>> amandad normally listens on UDP port 10080, so you need to add that
>>
>>
>
> Actually, I think I have this covered :
>
> -A INPUT -s 204.10.167.0/255.255.255.192 -p udp -m multiport --ports 10080 -j
> ACCEPT
If that was in your original post I overlooked it, I only saw a rule for TCP.
Also, if you're only allowing one port in a rule you don't need multiport, but
I don't know if it is an error to call it with just a single port.
>
>> If you are using one of the broken kernels and can't upgrade, you can do
>> what we did
>> before it was part of iptables and use these rules (along with your
>> 'ESTABLISHED' rules:
>>
>># Amanda backups
>> -A INPUT -p udp -s $amanda --dport 10080 -j ACCEPT
>> -A INPUT -p tcp -s $amanda --dport 1024:65534 -j ACCEPT
>>
>>
>
> I tried adding that second rule, albeit the connection module was enabled.
> Still got this in the sendbackup log :
>
> sendbackup: time 0.000: stream_server: waiting for connection: 0.0.0.0.40449
> sendbackup: time 0.000: stream_server: waiting for connection: 0.0.0.0.40450
> sendbackup: time 0.000: stream_server: waiting for connection: 0.0.0.0.40451
> sendbackup: time 0.000: waiting for connect on 40449, then 40450, then 40451
> sendbackup: time 29.992: stream_accept: timeout after 30 seconds
> sendbackup: time 29.992: timeout on data port 40449
> sendbackup: time 59.984: stream_accept: timeout after 30 seconds
> sendbackup: time 59.984: timeout on mesg port 40450
> sendbackup: time 89.977: stream_accept: timeout after 30 seconds
> sendbackup: time 89.977: timeout on index port 40451
> sendbackup: time 89.977: pid 6891 finish time Fri Aug 5 13:00:46 2005
>
> Turned off the tracking module and it worked. I guess that's the issue
> then.. :( I'd much rather have that module working, but oh well... *sigh*
See also me comment from my reply a few minutes ago about RELATED before you
give up on it.
Frank
>
>> if you use the default build. You can also configure Amanda with the
>> tcpportrange and
>> udpportrange options and narrow down the range of open ports (although if it
>> is only
>> open to the Amanda server it is not as big an issue).
>>
>>
>
> I think I'll give this a shot.. I don't like leaving ports wide open, even
> when they're limited to my own servers...
>
> Jason
--
Frank Smith fsmith AT hoovers DOT com
Sr. Systems Administrator Voice: 512-374-4673
Hoover's Online Fax: 512-374-4501
|
|
|