On Tue, Jun 26, 2007 at 10:38:33AM -0400, Zembower, Kevin enlightened us:
> Kevin, thanks so much. You were right on the money. Disabling the
> firewall completely allow amcheck to work correctly.
>
> If you have some additional patience, I could use a hand trying to
> configure the firewall rules correctly on my amanda client. I tried to
> follow the directions at
> http://wiki.zmanda.com/index.php/How_To:Set_Up_iptables_for_Amanda to
> set up this rule on tobaccodev, my amanda client. This combines the
> amanda rule with the rules I set up using the firewall GUI in CentOS5
> (RHEL5):
> [root@tobaccodev ~]# iptables -t filter -I INPUT 1 -p udp -m udp -s
> centernet.jhuccp.org --dport 10080:10083 -j ACCEPT
> [root@tobaccodev ~]# service iptables status
> Table: filter
> Chain INPUT (policy ACCEPT)
> num target prot opt source destination
> 1 ACCEPT udp -- 10.253.192.205 0.0.0.0/0 udp
> dpts:10080:10083
> 2 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
>
>
> Chain FORWARD (policy ACCEPT)
> num target prot opt source destination
> 1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
>
>
> Chain OUTPUT (policy ACCEPT)
> num target prot opt source destination
>
> Chain RH-Firewall-1-INPUT (2 references)
> num target prot opt source destination
> 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp
> type 255
> 3 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
> 4 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
> 5 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp
> dpt:5353
> 6 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
> dpt:631
> 7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> dpt:631
> 8 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED
> 9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
> NEW tcp dpt:21
> 10 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
> NEW tcp dpt:25
> 11 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
> NEW tcp dpt:22
> 12 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
> NEW tcp dpt:443
> 13 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
> NEW tcp dpt:23
> 14 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
> NEW tcp dpt:80
> 15 REJECT all -- 0.0.0.0/0 0.0.0.0/0
> reject-with icmp-host-prohibited
>
> Here's an example of a no-error 'amcheck -c DBackup tobaccodev' from the
> tapeserver:
>
> [root@tobaccodev ~]# tcpdump -nn src or dst centernet and port amanda
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 10:28:58.190591 IP 10.253.192.205.854 > 10.253.192.217.10080: UDP,
> length 123
> 10:28:58.210814 IP 10.253.192.217.10080 > 10.253.192.205.854: UDP,
> length 50
> 10:28:58.212936 IP 10.253.192.217.10080 > 10.253.192.205.854: UDP,
> length 87
> 10:28:58.214318 IP 10.253.192.205.854 > 10.253.192.217.10080: UDP,
> length 50
> 10:28:58.216532 IP 10.253.192.205.854 > 10.253.192.217.10080: UDP,
> length 299
> 10:28:58.223632 IP 10.253.192.217.10080 > 10.253.192.205.854: UDP,
> length 50
> 10:28:58.233581 IP 10.253.192.217.10080 > 10.253.192.205.854: UDP,
> length 527
> 10:28:58.235018 IP 10.253.192.205.854 > 10.253.192.217.10080: UDP,
> length 50
>
> 8 packets captured
> 20 packets received by filter
> 0 packets dropped by kernel
> [root@tobaccodev ~]#
>
> I had to insert the rule to allow amanda packets in _before_ the
> RH-Firewall-1-INPUT rule to make it work. This tests correctly with
> amcheck, but I haven't tried an actual dump yet.
>
> If someone with some amanda firewall rule writing experience could check
> and confirm my work, I'll write an addendum to the Zmanda artile with my
> example, for other CentOS and RHEL users.
>
> Thanks, again, Kevin, for your advice and suggestions.
>
> -Kevin
>
On my CentOS client systems, I modify /etc/sysconfig/iptables-config to read:
IPTABLES_MODULES="ip_conntrack_ftp ip_conntrack_amanda"
And simply allow udp 10080 from the server (in /etc/sysconfig/iptables):
-A INPUT -s 192.168.1.1 -d 192.168.1.30 -p udp -m udp --dport 10080 -j ACCEPT
On the server I also allow tcp 10082 and 10083.
On my bridging firewall, I modify /etc/modprobe.conf to include a longer
timeout:
options ip_conntrack_amanda master_timeout=2400
That works for me...
Matt
--
Matt Hyclak
Department of Mathematics
Department of Social Work
Ohio University
(740) 593-1263
|