Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Bacula-users] iptables problem

2012-06-06 10:19:16
Subject: [Bacula-users] iptables problem
From: Laurent MANCHON <lmanchon AT univ-montp2 DOT fr>
To: bacula-users AT lists.sourceforge DOT net
Date: Wed, 06 Jun 2012 16:16:32 +0200 
--hi,

bacula returns this error message:

06-juin 14:56 Bacula-dir JobId 1569 : Warning: bsock.c:129 impossible to 
connect at Storage daemon on 192.168.1.15:9103. ERR=Connection failed

i think i have a problem with my iptables rules but i don't know where, 
i need somebody help to resolve this problem.

This is my iptables rules:

#!/bin/sh
# Script "iptables-start.sh"

IPT="/sbin/iptables"
INTERNET="eth0"

echo "0" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

$IPT -F
$IPT -X
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -N BAD_PACKETS

$IPT -t nat -F
$IPT -t nat -X

$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT

$IPT -t mangle -F
$IPT -t mangle -X

$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT

$IPT -P INPUT DROP

$IPT -A FORWARD -o eth0 -j ACCEPT

$IPT -A OUTPUT -o eth0 -j ACCEPT

$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT


$IPT -A INPUT -p icmp --icmp-type echo-request -m limit --limit 20/s 
--limit-burst 100 -j ACCEPT
$IPT -A OUTPUT -p icmp --icmp-type echo-request -m limit --limit 20/s 
--limit-burst 100 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type redirect -j DROP
$IPT  -A INPUT -p icmp --icmp-type network-redirect -j DROP
$IPT -A INPUT -p icmp --icmp-type TOS-network-redirect -j DROP
$IPT -A INPUT -p icmp --icmp-type TOS-host-redirect -j DROP
$IPT -A INPUT -p icmp -j ACCEPT

$IPT -A INPUT --match state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT --match state --state RELATED,ESTABLISHED -j ACCEPT

$IPT -A INPUT -p tcp --dport ssh -s 192.168.0.0/16 -d 0.0.0.0/0.0.0.0 -j 
ACCEPT
$IPT -A OUTPUT -p tcp --sport ssh -s 192.168.0.0/16 -d 0.0.0.0/0.0.0.0 
-j ACCEPT

$IPT -A INPUT -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -p udp --dport 5353 -j ACCEPT

# port https
$IPT -A INPUT -p tcp --dport 443 -j ACCEPT

$IPT -A INPUT -p tcp --dport 137:139 -s 192.168.0.0/16 -i eth0 -j ACCEPT
$IPT -A INPUT -p udp --dport 137:139 -s 192.168.0.0/16 -i eth0 -j ACCEPT
$IPT -A INPUT -p tcp --dport 445 -s 192.168.0.0/16 -i eth0 -j ACCEPT

# bacula rules
$IPT -A OUTPUT -p tcp --dport 9102:9103 -o $INTERNET -m state --state 
NEW -j ACCEPT
$IPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 9101:9103 -j ACCEPT

$IPT -A INPUT -p tcp --dport 123 -j ACCEPT
$IPT -A INPUT -p udp --dport 123 -j ACCEPT

$IPT -A OUTPUT -p udp --dport 53 -o $INTERNET -m state --state NEW -j ACCEPT

$IPT -A INPUT -i eth0 -p tcp --dport 3306 -s 192.168.1.15 -d 
192.168.0.0/16 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p tcp -s 192.168.0.0/16 --sport 3306 -d 192.168.1.15 -m 
state --state ESTABLISHED -j ACCEPT

#Log
$IPT -A INPUT -i eth0 -j LOG --log-level info --log-prefix "INPUT DROP: "
$IPT -A OUTPUT -o eth0 -j LOG --log-level info --log-prefix "OUTPUT DROP: "
$IPT -A FORWARD -o eth0 -j LOG --log-level info --log-prefix "FORWARD 
DROP: "
$IPT -A INPUT -s 0.0.0.0/0.0.0.0 -j DROP
$IPT -A OUTPUT -s 0.0.0.0/0.0.0.0  -j DROP
$IPT -A FORWARD -s 0.0.0.0/0.0.0.0  -j DROP

#Drop
#Jump To BAD_PACKETS
$IPT -A INPUT -j BAD_PACKETS
$IPT -A BAD_PACKETS -p TCP ! --syn -m state --state NEW -j DROP
$IPT -A BAD_PACKETS -p TCP --tcp-flags ALL ALL -j DROP
$IPT -A BAD_PACKETS -p TCP --tcp-flags ALL NONE -j DROP
$IPT -A BAD_PACKETS -p TCP --tcp-flags ALL SYN \-m state --state 
ESTABLISHED -j DROP
$IPT -A BAD_PACKETS -p ICMP --fragment -j DROP
$IPT -A BAD_PACKETS -m state --state INVALID -j DROP
$IPT -A BAD_PACKETS -d 255.255.255.255 -j DROP
$IPT -A BAD_PACKETS -j RETURN



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Bacula-users] Fedora - RHEL/CentOS rpm repository, Tilman Schmidt
Next by Date:  Re: [Bacula-users] iptables problem, Konstantin Khomoutov
Previous by Thread:  Re: [Bacula-users] Fedora - RHEL/CentOS rpm repository, Tilman Schmidt
Next by Thread:  Re: [Bacula-users] iptables problem, Konstantin Khomoutov
Indexes:  [Date] [Thread] [Top] [All Lists]