Re: iptables and amanda
2005-08-05 13:12:19
Frank Smith wrote:
amandad normally listens on UDP port 10080, so you need to add that
Actually, I think I have this covered :
-A INPUT -s 204.10.167.0/255.255.255.192 -p udp -m multiport --ports
10080 -j ACCEPT
If you are using one of the broken kernels and can't upgrade, you can do what
we did
before it was part of iptables and use these rules (along with your
'ESTABLISHED' rules:
# Amanda backups
-A INPUT -p udp -s $amanda --dport 10080 -j ACCEPT
-A INPUT -p tcp -s $amanda --dport 1024:65534 -j ACCEPT
I tried adding that second rule, albeit the connection module was
enabled. Still got this in the sendbackup log :
sendbackup: time 0.000: stream_server: waiting for connection: 0.0.0.0.40449
sendbackup: time 0.000: stream_server: waiting for connection: 0.0.0.0.40450
sendbackup: time 0.000: stream_server: waiting for connection: 0.0.0.0.40451
sendbackup: time 0.000: waiting for connect on 40449, then 40450, then 40451
sendbackup: time 29.992: stream_accept: timeout after 30 seconds
sendbackup: time 29.992: timeout on data port 40449
sendbackup: time 59.984: stream_accept: timeout after 30 seconds
sendbackup: time 59.984: timeout on mesg port 40450
sendbackup: time 89.977: stream_accept: timeout after 30 seconds
sendbackup: time 89.977: timeout on index port 40451
sendbackup: time 89.977: pid 6891 finish time Fri Aug 5 13:00:46 2005
Turned off the tracking module and it worked. I guess that's the issue
then.. :( I'd much rather have that module working, but oh well... *sigh*
if you use the default build. You can also configure Amanda with the
tcpportrange and
udpportrange options and narrow down the range of open ports (although if it is
only
open to the Amanda server it is not as big an issue).
I think I'll give this a shot.. I don't like leaving ports wide open,
even when they're limited to my own servers...
--
Frank Smith fsmith AT hoovers
DOT com
Sr. Systems Administrator Voice: 512-374-4673
Hoover's Online Fax: 512-374-4501
Jason
|
|
|