Amanda-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Troubleshooting new Amanda client: Amanda user?

2007-06-26 11:51:53
Subject: Re: Troubleshooting new Amanda client: Amanda user?
From: Matt Hyclak <hyclak AT math.ohiou DOT edu>
To: amanda-users AT amanda DOT org
Date: Tue, 26 Jun 2007 11:38:44 -0400 
On Tue, Jun 26, 2007 at 10:38:33AM -0400, Zembower, Kevin enlightened us:
> Kevin, thanks so much. You were right on the money. Disabling the
> firewall completely allow amcheck to work correctly.
> 
> If you have some additional patience, I could use a hand trying to
> configure the firewall rules correctly on my amanda client. I tried to
> follow the directions at
> http://wiki.zmanda.com/index.php/How_To:Set_Up_iptables_for_Amanda to
> set up this rule on tobaccodev, my amanda client. This combines the
> amanda rule with the rules I set up using the firewall GUI in CentOS5
> (RHEL5):
> [root@tobaccodev ~]# iptables -t filter -I INPUT 1 -p udp -m udp -s
> centernet.jhuccp.org --dport 10080:10083 -j ACCEPT       
> [root@tobaccodev ~]# service iptables status                         
> Table: filter
> Chain INPUT (policy ACCEPT)
> num  target     prot opt source               destination         
> 1    ACCEPT     udp  --  10.253.192.205       0.0.0.0/0           udp
> dpts:10080:10083 
> 2    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0
> 
> 
> Chain FORWARD (policy ACCEPT)
> num  target     prot opt source               destination         
> 1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0
> 
> 
> Chain OUTPUT (policy ACCEPT)
> num  target     prot opt source               destination         
> 
> Chain RH-Firewall-1-INPUT (2 references)
> num  target     prot opt source               destination         
> 1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
> 2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp
> type 255 
> 3    ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0           
> 4    ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0           
> 5    ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp
> dpt:5353 
> 6    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp
> dpt:631 
> 7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
> dpt:631 
> 8    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
> RELATED,ESTABLISHED 
> 9    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state
> NEW tcp dpt:21 
> 10   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state
> NEW tcp dpt:25 
> 11   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state
> NEW tcp dpt:22 
> 12   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state
> NEW tcp dpt:443 
> 13   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state
> NEW tcp dpt:23 
> 14   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state
> NEW tcp dpt:80 
> 15   REJECT     all  --  0.0.0.0/0            0.0.0.0/0
> reject-with icmp-host-prohibited 
> 
> Here's an example of a no-error 'amcheck -c DBackup tobaccodev' from the
> tapeserver:
> 
> [root@tobaccodev ~]# tcpdump -nn src or dst centernet and port amanda
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 10:28:58.190591 IP 10.253.192.205.854 > 10.253.192.217.10080: UDP,
> length 123
> 10:28:58.210814 IP 10.253.192.217.10080 > 10.253.192.205.854: UDP,
> length 50
> 10:28:58.212936 IP 10.253.192.217.10080 > 10.253.192.205.854: UDP,
> length 87
> 10:28:58.214318 IP 10.253.192.205.854 > 10.253.192.217.10080: UDP,
> length 50
> 10:28:58.216532 IP 10.253.192.205.854 > 10.253.192.217.10080: UDP,
> length 299
> 10:28:58.223632 IP 10.253.192.217.10080 > 10.253.192.205.854: UDP,
> length 50
> 10:28:58.233581 IP 10.253.192.217.10080 > 10.253.192.205.854: UDP,
> length 527
> 10:28:58.235018 IP 10.253.192.205.854 > 10.253.192.217.10080: UDP,
> length 50
> 
> 8 packets captured
> 20 packets received by filter
> 0 packets dropped by kernel
> [root@tobaccodev ~]#
> 
> I had to insert the rule to allow amanda packets in _before_ the
> RH-Firewall-1-INPUT rule to make it work. This tests correctly with
> amcheck, but I haven't tried an actual dump yet.
> 
> If someone with some amanda firewall rule writing experience could check
> and confirm my work, I'll write an addendum to the Zmanda artile with my
> example, for other CentOS and RHEL users.
> 
> Thanks, again, Kevin, for your advice and suggestions.
> 
> -Kevin 
> 

On my CentOS client systems, I modify /etc/sysconfig/iptables-config to read:

IPTABLES_MODULES="ip_conntrack_ftp ip_conntrack_amanda"

And simply allow udp 10080 from the server (in /etc/sysconfig/iptables):

-A INPUT -s 192.168.1.1 -d 192.168.1.30 -p udp -m udp --dport 10080 -j ACCEPT

On the server I also allow tcp 10082 and 10083.

On my bridging firewall, I modify /etc/modprobe.conf to include a longer
timeout:

options ip_conntrack_amanda master_timeout=2400

That works for me...

Matt

-- 
Matt Hyclak
Department of Mathematics 
Department of Social Work
Ohio University
(740) 593-1263
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Troubleshooting new Amanda client: Amanda user?, Zembower, Kevin
Next by Date:  Use multiple drives in tape robot, Weber, Philip
Previous by Thread:  RE: Troubleshooting new Amanda client: Amanda user?, Zembower, Kevin
Next by Thread:  RE: Troubleshooting new Amanda client: Amanda user?, Zembower, Kevin
Indexes:  [Date] [Thread] [Top] [All Lists]