RE: Troubleshooting new Amanda client: Amanda user?

Matt, thank you for your help. I didn't think that I had
ip_conntrack_amanda, so I was trying to set it up without it. When I
tried your way, it worked like a charm.

Note to archive readers: I think it's important to insert the line:
-A INPUT -s 192.168.1.1 -d 192.168.1.30 -p udp -m udp --dport 10080 -j
ACCEPT
_before_ the line:
-A INPUT -j RH-Firewall-1-INPUT
to prevent the packets from following the RH-Firewall-1-INPUT rules
first, where they'll be discarded.

Thanks, again, Matt.

-Kevin

-----Original Message-----
From: owner-amanda-users AT amanda DOT org
[mailto:owner-amanda-users AT amanda DOT org] On Behalf Of Matt Hyclak
Sent: Tuesday, June 26, 2007 11:39 AM
To: amanda-users AT amanda DOT org
Subject: Re: Troubleshooting new Amanda client: Amanda user?

On Tue, Jun 26, 2007 at 10:38:33AM -0400, Zembower, Kevin enlightened
us:
> Kevin, thanks so much. You were right on the money. Disabling the
> firewall completely allow amcheck to work correctly.
> 
> If you have some additional patience, I could use a hand trying to
> configure the firewall rules correctly on my amanda client. I tried to
> follow the directions at
> http://wiki.zmanda.com/index.php/How_To:Set_Up_iptables_for_Amanda to
> set up this rule on tobaccodev, my amanda client. This combines the
> amanda rule with the rules I set up using the firewall GUI in CentOS5
> (RHEL5):
> [root@tobaccodev ~]# iptables -t filter -I INPUT 1 -p udp -m udp -s
> centernet.jhuccp.org --dport 10080:10083 -j ACCEPT       
> [root@tobaccodev ~]# service iptables status                         
> Table: filter
> Chain INPUT (policy ACCEPT)
> num  target     prot opt source               destination         
> 1    ACCEPT     udp  --  10.253.192.205       0.0.0.0/0           udp
> dpts:10080:10083 
> 2    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0
> 
> 
> Chain FORWARD (policy ACCEPT)
> num  target     prot opt source               destination         
> 1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0
> 
> 
> Chain OUTPUT (policy ACCEPT)
> num  target     prot opt source               destination         
> 
> Chain RH-Firewall-1-INPUT (2 references)
> num  target     prot opt source               destination         
> 1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
> 2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp
> type 255 
> 3    ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0           
> 4    ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0           
> 5    ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp
> dpt:5353 
> 6    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp
> dpt:631 
> 7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
> dpt:631 
> 8    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
state
> RELATED,ESTABLISHED 
> 9    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0
state
> NEW tcp dpt:21 
> 10   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0
state
> NEW tcp dpt:25 
> 11   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0
state
> NEW tcp dpt:22 
> 12   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0
state
> NEW tcp dpt:443 
> 13   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0
state
> NEW tcp dpt:23 
> 14   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0
state
> NEW tcp dpt:80 
> 15   REJECT     all  --  0.0.0.0/0            0.0.0.0/0
> reject-with icmp-host-prohibited 
> 
> Here's an example of a no-error 'amcheck -c DBackup tobaccodev' from
the
> tapeserver:
> 
> [root@tobaccodev ~]# tcpdump -nn src or dst centernet and port amanda
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 10:28:58.190591 IP 10.253.192.205.854 > 10.253.192.217.10080: UDP,
> length 123
> 10:28:58.210814 IP 10.253.192.217.10080 > 10.253.192.205.854: UDP,
> length 50
> 10:28:58.212936 IP 10.253.192.217.10080 > 10.253.192.205.854: UDP,
> length 87
> 10:28:58.214318 IP 10.253.192.205.854 > 10.253.192.217.10080: UDP,
> length 50
> 10:28:58.216532 IP 10.253.192.205.854 > 10.253.192.217.10080: UDP,
> length 299
> 10:28:58.223632 IP 10.253.192.217.10080 > 10.253.192.205.854: UDP,
> length 50
> 10:28:58.233581 IP 10.253.192.217.10080 > 10.253.192.205.854: UDP,
> length 527
> 10:28:58.235018 IP 10.253.192.205.854 > 10.253.192.217.10080: UDP,
> length 50
> 
> 8 packets captured
> 20 packets received by filter
> 0 packets dropped by kernel
> [root@tobaccodev ~]#
> 
> I had to insert the rule to allow amanda packets in _before_ the
> RH-Firewall-1-INPUT rule to make it work. This tests correctly with
> amcheck, but I haven't tried an actual dump yet.
> 
> If someone with some amanda firewall rule writing experience could
check
> and confirm my work, I'll write an addendum to the Zmanda artile with
my
> example, for other CentOS and RHEL users.
> 
> Thanks, again, Kevin, for your advice and suggestions.
> 
> -Kevin 
> 

On my CentOS client systems, I modify /etc/sysconfig/iptables-config to
read:

IPTABLES_MODULES="ip_conntrack_ftp ip_conntrack_amanda"

And simply allow udp 10080 from the server (in /etc/sysconfig/iptables):

-A INPUT -s 192.168.1.1 -d 192.168.1.30 -p udp -m udp --dport 10080 -j
ACCEPT

On the server I also allow tcp 10082 and 10083.

On my bridging firewall, I modify /etc/modprobe.conf to include a longer
timeout:

options ip_conntrack_amanda master_timeout=2400

That works for me...

Matt

-- 
Matt Hyclak
Department of Mathematics 
Department of Social Work
Ohio University
(740) 593-1263