Re: iptables script
2005-05-14 19:07:44
On Sat, May 14, 2005 at 05:29:10PM -0400, Joshua Baker-LePain enlightened us:
> > For the first time ever i have to backup a machine over the 'internet' -
> > This client is using iptables as its firewall. Does anyone have an iptables
> > rule they would like to share that would allow amanda through to be able to
> > backup this client?
>
> If you haven't compiled with any "portrange" options, you'll have to do
> something like this:
>
> -A INPUT -p udp -s $AMANDA_SERVER -d 0/0 --dport 10080 -j ACCEPT
> -A INPUT -p tcp -m tcp -s $AMANDA_SERVER -d 0/0 --dport 1025:65535 -j ACCEPT
Or
-A INPUT -p udp -s $AMANDA_SERVER -d $AMANDA_CLIENT --dport 10080 -j ACCEPT
and load the ip_conntrack_amanda kernel module. I use the following in
/etc/modprobe.conf:
options ip_conntrack_amanda master_timeout=2400
install ip_tables /sbin/modprobe --ignore-install ip_tables && \
/sbin/modprobe ip_conntrack_amanda
(Lines 2 & 3 are all one line)
This sets the UDP timeout for amanda packets to 2400 seconds, up from the
default 300 (don't hold me to that, it might be 600). I was getting estimate
timeouts since they were taking longer than 300/600 seconds and the firewall
would close the port.
Makes things a little more secure than opening up everything > 1024 ;-)
Matt
--
Matt Hyclak
Department of Mathematics
Department of Social Work
Ohio University
(740) 593-1263
pgpnN7161s38v.pgp
Description: PGP signature
|
|
|