Help: Amanda over IPChains
This is partially a question about amanda and partially a question
about how to fowardard udp proto's over IPChains. Basically, I cannot
connect to a client from behind an IPChains firewall. Can you help
me?
It's strange, but I notice a few things when looking at the masquerade
table on the gateway computer. The tape server will try to connect to
the client's amanda port with a udp port < 1024. For example, the
last time I tested it, the connection looked like this:
UDP 04:56.54 <tape server> <client> 985 (62348) -> amanda
UDP 04:56.54 0.0.0.0 <tapeserver> amanda (10080) -> 985
I've seen the tape server use anything as high as 985 down to the
600's. From this, it seems that the gateway doesn't understand where
the return connection should come from. What's going on? How do I
correct this? Does the amanda client have a tcp control port? If
not, how does one allow UDP over a masquerade environment when the
connection is initiated from inside the firewall?
================================================================
BEGIN CONFIGURATION INFORMATION
================================================================
Info Tape Svr (int) Gateway Client (ext)
-------------- ------------- -------------- -------------
Amanda: 2.4.1 2.4.1 2.4.1
Kernel: 2.2.11 2.2.10 2.2.10
Patches: None ipmasqadm.25 none
Ipchains: no yes yes
portfw: no yes no
autofw: no yes no
Masq: no yes no
Int IP: 192.168.1.1 192.168.1.10 -
Ext IP: - 192.168.2.50 192.168.2.60
Input Chain: Gateway
--------------------
ipchains -A input -i <int> -s <intranet> -j ACCEPT
ipchains -A input -i <ext> -s <intranet> -j DENY
ipchains -A input -i <ext> -d <extif> -j ACCEPT
ipchains -A input -i <ext> -j extinok
ipchains -A input -i <ext> -j extinblk
where extinok = allowed ports and extinblk = denied ports. Blanket
permission for internal connections to connect to any external
connections.
Forward Chain: Gateway
----------------------
ipchains -A forward -i <ext> -s <intranet> -j MASQ
Output Chain: Gateway
---------------------
ipchains -A output -i <int> -d <intranet> -j ACCEPT
ipchains -A output -i <ext> -d <extif> -j ACCEPT
ipchains -A output -i <ext> -d <intranet> -l -j DENY
Input Chain: Client
-------------------
ipchains -A input -i <ext> -j extinok
ipchains -A input -i <ext> -l -j extinblk
where extinok = allowed ports and extinblk = denied ports.
extinok chain: client
---------------------
ipchains -A extinok -p udp -s <gateway> amanda \
-d <client> amanda -j ACCEPT
Output Chain: Client
--------------------
ipchains -A output -i <ext> -s <client> -j ACCEPT
Auto masquerade forwarding: Gateway
-----------------------------------
ipmasqadm autofw -r udp amanda amanda
where amanda = 10080
================================================================
END CONFIGURATION INFORMATION
================================================================
Later!
^chewie
+----------------------------------------------------+
| Chad Walstrom mailto:chewie@wookimus.net |
| ICQ: 9985127 http://wookimus.net/~chewie |
+----------------------------------------------------+
Need a new truck? Check out my '97 Explorer 2-door
Sport at http://wookimus.net/~chewie/truck.html
Reply to: