Help: Amanda over IPChains

To: amanda-users@amanda.org
Cc: debian-firewall@lists.debian.org
Subject: Help: Amanda over IPChains
From: ^chewie <chewie@wookimus.net>
Date: Thu, 2 Sep 1999 15:53:21 -0500 (CDT)
Message-id: <[🔎] Pine.LNX.4.10.9909021336580.18756-100000@guinness.urw.org>

This is partially a question about amanda and partially a question
about how to fowardard udp proto's over IPChains.  Basically, I cannot
connect to a client from behind an IPChains firewall.  Can you help
me?

It's strange, but I notice a few things when looking at the masquerade
table on the gateway computer.  The tape server will try to connect to
the client's amanda port with a udp port < 1024.  For example, the
last time I tested it, the connection looked like this:

UDP  04:56.54 <tape server> <client>	985 (62348) -> amanda
UDP  04:56.54 0.0.0.0 <tapeserver>	amanda (10080) -> 985

I've seen the tape server use anything as high as 985 down to the
600's. From this, it seems that the gateway doesn't understand where
the return connection should come from.  What's going on?  How do I
correct this?  Does the amanda client have a tcp control port?  If
not, how does one allow UDP over a masquerade environment when the
connection is initiated from inside the firewall?

================================================================
BEGIN CONFIGURATION INFORMATION
================================================================
Info		Tape Svr (int)	Gateway		Client (ext)
--------------	-------------	--------------	-------------
Amanda:		2.4.1		2.4.1		2.4.1
Kernel:		2.2.11		2.2.10		2.2.10
Patches:	None		ipmasqadm.25	none
Ipchains:	no		yes		yes
portfw:		no		yes		no
autofw:		no		yes		no
Masq:		no		yes		no
Int IP:		192.168.1.1	192.168.1.10	-
Ext IP:		-		192.168.2.50	192.168.2.60

Input Chain: Gateway
--------------------
ipchains -A input -i <int> -s <intranet> -j ACCEPT
ipchains -A input -i <ext> -s <intranet> -j DENY
ipchains -A input -i <ext> -d <extif> -j ACCEPT
ipchains -A input -i <ext> -j extinok
ipchains -A input -i <ext> -j extinblk

where extinok = allowed ports and extinblk = denied ports.  Blanket
permission for internal connections to connect to any external
connections.

Forward Chain: Gateway
----------------------
ipchains -A forward -i <ext> -s <intranet> -j MASQ

Output Chain: Gateway
---------------------
ipchains -A output -i <int> -d <intranet> -j ACCEPT
ipchains -A output -i <ext> -d <extif> -j ACCEPT
ipchains -A output -i <ext> -d <intranet> -l -j DENY

Input Chain: Client
-------------------
ipchains -A input -i <ext> -j extinok
ipchains -A input -i <ext> -l -j extinblk

where extinok = allowed ports and extinblk = denied ports.

extinok chain: client
---------------------
ipchains -A extinok -p udp -s <gateway> amanda \
	-d <client> amanda -j ACCEPT

Output Chain: Client
--------------------
ipchains -A output -i <ext> -s <client> -j ACCEPT

Auto masquerade forwarding: Gateway
-----------------------------------
ipmasqadm autofw -r udp amanda amanda

where amanda = 10080
================================================================
END CONFIGURATION INFORMATION
================================================================

Later!

    ^chewie

+----------------------------------------------------+
| Chad Walstrom           mailto:chewie@wookimus.net | 
| ICQ: 9985127           http://wookimus.net/~chewie |
+----------------------------------------------------+
 Need a new truck?  Check out my '97 Explorer 2-door
   Sport at http://wookimus.net/~chewie/truck.html

Reply to:

Follow-Ups:
- Re: Help: Amanda over IPChains
  - From: ^chewie <chewie@wookimus.net>

Next by Date: neighbor table overflow?
Next by thread: Re: Help: Amanda over IPChains
Index(es):
- Date
- Thread