[lug] amanda and iptables

John Hernandez John.Hernandez at noaa.gov
Tue Jan 20 12:28:05 MST 2004 

Matsui - the kernel module Nick referred to is available on recent Red 
Hat kernels, and probably updated binary kernels from other 
distributions, too.  In order for your rules to work, load the relevant 
module:

modprobe ip_conntrack_amanda

During the backup, you should see the connection listed in the output of:

cat /proc/net/ip_conntrack

Also, you may want to tighten your rules somewhat.  I think you can get 
away with this:

/sbin/iptables -A INPUT -p udp -s xxx.xxx.xxx.xxx -m udp --dport 10080 -j ACCEPT
/sbin/iptables -A INPUT -s xxx.xxx.xxx.xxx -m state --state RELATED,ESTABLISHED -j ACCEPT

You may already have a non-source-specific version of the second rule somewhere in your ruleset, in which case you'd only add the first rule.

Nick Golder wrote:

>On 2004-01-19 13:58 -0700, MATSUI Nobuki wrote:
>  
>
>>I am using a narc to generate iptables rules and I have the rules below in
>>/etc/narc/narc-custom.conf to allow an amanda server to communicate with
>>a local client.  The problem is that even though those rules are being
>>applied (checked with iptables -L), they don't produce a desired effect.
>>Amanda's known to use random higher ports and that's why I have 'RELATED'
>>in my rules.  amcheck works fine though.  Could anybody help?
>>best,
>>
>>/sbin/iptables -A INPUT -p tcp -s xxx.xxx.xxx.xxx -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
>>/sbin/iptables -A INPUT -p udp -s xxx.xxx.xxx.xxx -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
>>
>>
>>    
>>
>
>Don't know if this would help or not:
><snip from kernel config>
>CONFIG_IP_NF_AMANDA:
>
>If you are running the Amanda backup package (http://www.amanda.org/)
>on this machine or machines that will be MASQUERADED through this
>machine, then you may want to enable this feature.  This allows the
>connection tracking and natting code to allow the sub-channels that
>Amanda requires for communication of the backup data, messages and
>index.
>
>If you want to compile it as a module, say M here and read
>Documentation/modules.txt.  If unsure, say `N'.
></snip>
>
>  
>

More information about the LUG mailing list