How To:Set Up iptables for Amanda

From The Open Source Backup Wiki (Amanda, MySQL Backup, BackupPC)
(Redirected from Configuration with iptables)
Jump to navigationJump to search

This article is a part of the How Tos collection.

This document was originally created by David Leangen.

Objective

The purpose of this page is to provide a quick recipe for configuring a firewall using iptables for use with Amanda. The recipe here is minimalistic, in that we open only ports that need to be opened, without any duplications.

More detailed information about port usage by "bsd" authentication can be found in the TCP/UDP ports.

This section assumes "bsd" authentication is being used between Amanda server and client. This section covers the backup process and recovery process is not covered in this section.

Example

This section uses following example to illustrate the use of iptables with Amanda.

  • a tape server host, TSHost, having IP address 192.168.2.2
  • TSHost is not directly connected to the Internet
  • TSHost is also an Amanda backup client
  • firewall server FWHost with IP address 192.168.2.1
  • FWHost is also an Amanda backup client
  • FWHost is accessible from the Internet through IP address 1.2.3.4
  • local host LHost with IP address 192.168.2.3
  • remote host RHost, accessible via 2.3.4.5
  • each host uses iptables
  • each host has a basic policy of "deny all incoming" and "accept all outgoing"
  • each host has a basic policy of "accept all from localhost"

Also:

  • Amanda is configured on each host --with-tcpportrange 50000:50100
  • Amanda is configured on each host --with-udpportrange 700:710
  • The above ports are available and connection to these ports is successful


                +---------+
                |  RHost  |
                | 2.3.4.5 |
                +---------+
                     |
                     |
                     |
                +-----------+
                |   FWHost  |
                |  1.2.3.4  |
                |192.168.2.1|
                +-----------+
                /         \
               /           \
              /             \
    +-----------+         +-----------+
    |   LHost   |         |   TSHost  |
    |192.168.2.3|         |192.168.2.2|
    +-----------+         +-----------+
 

Services Used

  • Amanda tape server host: amindexd (10082/tcp), amidxtaped (10083/tcp)
  • Amanda client: amandad (10080/udp)

The port numbers here are the ports that these services are listening on.


IP Traffic

Traffic is sent between the hosts in the following manner during the backup process.

 Waiting state:
      RHost listens on 10080/udp
      FWHost listens on 10080/udp
      LHost listens on 10080/udp
      TSHost listens on 10080/udp
 
 amdump process begins:
      TSHost sends request to RHost on port 10080/udp (via FWHost)
      TSHost sends request to FWHost on port 10080/udp
      TSHost sends request to LHost on port 10080/udp
      TSHost sends request to localhost on port 10080/udp
 
 amandad process begins on each client:
      xHost accepts request on 10080/udp
      xHost replies (sendbackup) to TSHost on a port in --with-tcpportrange

Traffic is sent between the hosts in the following manner during recovery

  1) amrecover using TCP privileged port connects to index server(amindexd) on port 10082
  2) at the same time, amrecover using TCP privileged port connects to taper server(amidxtaped) on port 10083
  3) recovered data is sent from server using TCP port to client's TCP privileged port
      below is the iptables LOG on a amrecover session:
 Jan 11 11:19:23 boston kernel: amanda high: IN=eth0 OUT= MAC=00:90:f5:3c:de:6d:00:0c:29:d7:98:6c:08:00 SRC=192.168.10.211              
DST=192.168.10.237 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9053 DF PROTO=TCP SPT=586 DPT=10082 WINDOW=5840 RES=0x00 SYN URGP=0
 Jan 11 11:20:02 boston kernel: amanda high: IN=eth0 OUT= MAC=00:90:f5:3c:de:6d:00:0c:29:d7:98:6c:08:00 SRC=192.168.10.211
 DST=192.168.10.237 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8442 DF PROTO=TCP SPT=642 DPT=10083 WINDOW=5840 RES=0x00 SYN URGP=0
J an 11 11:20:02 boston kernel: amanda low: IN=eth0 OUT= MAC=00:90:f5:3c:de:6d:00:0c:29:d7:98:6c:08:00 SRC=192.168.10.211
 DST=192.168.10.237 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=48387 DF PROTO=TCP SPT=643 DPT=1130 WINDOW=5840 RES=0x00 SYN URGP=0

Iptables rule used on the above amrecover example

# amanda
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 10082:10083 -j LOG \
       --log-prefix "amanda high: "
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 10082:10083 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 1100:1150 -j LOG \
       --log-prefix "amanda low: "
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 1100:1150 -j ACCEPT

Required Ports: Summary

In summary, therefore, we need to open up the following ports:

Incoming:

  • TSHost: 50000:50100/tcp
  • LHost: 10080/udp
  • FWHost: 10080/udp
  • RHost: 10080/udp

Outgoing:

  • TSHost: 10080/udp
  • LHost: 50000:50100/tcp
  • FWHost: 50000:50100/tcp
  • RHost: 50000:50100/tcp

Notes:

  • We do not need to open 10080/udp on TSHost, since the request to 10080 comes from "localhost", and based on our assumptions above, all connections from localhost are accepted.


Two approaches to the problem

There are two methods to use iptables for Amanda backup process.

Iptables module ip_conntrack_amanda

First is to use the iptable connection tracking module for Amanda, ip_conntrack_amanda. What it does it to pick out the connection ports by searching for the "CONNECT" command in the packet and mark them as RELATED to the original outgoing connection. For example: amandad client sends command to server:

 CONNECT DATA 32877 MESG 32880 INDEX 32883

client log:

 amandad: time 1.381: stream_accept: connection from 192.168.10.237.1103
 amandad: time 1.383: stream_accept: connection from 192.168.10.237.1104
 amandad: time 1.390: stream_accept: connection from 192.168.10.237.1105

server log:

dumper: stream_client: connected to 192.168.10.211.32877
dumper: stream_client: our side is 0.0.0.0.1103
dumper: stream_client: connected to 192.168.10.211.32880
dumper: stream_client: our side is 0.0.0.0.1104
dumper: stream_client: connected to 192.168.10.211.32883
dumper: stream_client: our side is 0.0.0.0.1105

You may need to adjust the timeout that the module keeps connections tracked on the 10080/udp port. In the file /etc/modprobe.conf:

options  ip_conntrack_amanda  master_timeout=3600

Load the module on each computer involved with:

# modprobe ip_conntrack_amanda

On recent versions of Red Hat Enterprise Linux/CentOS and Fedora you can add ip_conntrack_amanda to the IPTABLES_MODULES entry in /etc/sysconfig/iptables-config:

IPTABLES_MODULES="ip_conntrack_amanda"


iptables Configuration

Second method is to follow the iptables configuration below.

TSHost

We want to open up udp traffic to ports 50000:50100 with the restriction that the source hosts all reside on the local network (192.168.*.*). Note that this works for the remote host as well because, as we document later, packets from RHost are NATted on the firewall.

 iptables -t filter -A INPUT -p tcp -s 129.168.0.0/16 -m tcp --dport 50000:50100 -j ACCEPT

LHost

A local host is also quite easy to setup. We only need to listen from a connection from TSHost to port 10080/udp.

 iptables -t filter -A INPUT -p udp -m udp -s 192.168.2.2 --dport 10080 -j ACCEPT


RHost

From the remote host's perspective, the only difference between it and a local host is that rather than seeing traffic originating from 192.168.2.2 on the local network, it sees the request as coming from 1.2.3.4. This is simply because the packets were NATted by the firewall.

 iptables -t filter -A INPUT -p udp -m udp -s 1.2.3.4 --dport 10080 -j ACCEPT

FWHost

We leave the firewall for last, since it is by far the most complex.

Essentially, all we want to do is NAT the packets going in and out of the local network, but without "interfering" with any of the packets that remain within the local network. It turns out that this is not so difficult to accomplish.

First, we translate incoming packets from RHost.

 iptables -t nat -A PREROUTING -p tcp -s 2.3.4.5 --dport 50000:50100 -j DNAT --to 192.168.2.2

Next, we masquerade all outgoing traffic, if you have not done so already.

 iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

Of course, we must not forget that the firewall is itself a backup client. This is done exactly the same way as with LHost, since FWHost is also a local host.

 iptables -t filter -A INPUT -p udp -m udp -s 192.168.2.2 --dport 10080 -j ACCEPT

Additional Notes

  • If a DLE is large and the client is behind an iptables firewall, the MESG or INDEX channel can timeout (while the DATA channel is busy doing the backup transfer). This is because iptables has a timeout (30 minutes) to kill inactive TCP connections, and the estimate takes longer than that. The kernel sends keepalive packets on TCP, but the default time (2 hours (7200 seconds)) is longer than the iptables timeout so iptables decides the connection has been abandoned and tears it down.

To fix this by setting the kernel keepalive time to 15 minutes, login as root on the client and:

'echo 900 >/proc/sys/net/ipv4/tcp_keepalive_time'

or add the above to your iptables startup script so that it will be set every time.


  • If you're using ip_conntrack_amanda module, the default master_timeout is the timeout (in seconds) of the master connection (port 10080). This defaults to 5 minutes but if your clients take longer than 5 minutes to do their work before getting back to the Amanda server, you can increase this value. For example:
modprobe ip_conntrack_amanda 600 
  • These approach can handle all the situations:
    • server behind firewall, client in dmz, client on the internet
    • server behind NAT, client behind NAT, both behind NAT
    • amrecover in all the situations above