How To:Set Up iptables for Amanda: Difference between revisions

From wiki.zmanda.com
Jump to navigation Jump to search
No edit summary
No edit summary
Line 2: Line 2:


=== Objective ===
=== Objective ===
The purpose of this page is to provide a quick recipe for configuring a firewall using iptables for use with AMANDA.
The purpose of this page is to provide a quick recipe for configuring a firewall using iptables for use with AMANDA. The recipe here is minimalist, in that we open only ports that '''need''' to be opened, without any duplications.


More detailed information about port usage can be found in the [http://www.amanda.org/docs/portusage.html AMANDA documentation].
More detailed information about port usage can be found in the [http://www.amanda.org/docs/portusage.html AMANDA documentation].
Comments, corrections, and additional to the text are most welcome.
=== About the Author ===
This document was originally created by [mailto:[email protected] David Leangen].
He had to himself configure his network and wanted to contribute back to the community by documenting his experience using iptables.
Please feel free to [mailto:[email protected] contact] the author.


=== Assumptions ===
=== Assumptions ===
Line 19: Line 29:
* each host uses iptables
* each host uses iptables
* each host has a basic policy of "deny all incoming" and "accept all outgoing"
* each host has a basic policy of "deny all incoming" and "accept all outgoing"
* each host has a basic policy of "accept all from localhost"


Also:
Also:
* AMANDA is configured on each host --with-tcpportrange 50000:50100
* AMANDA is configured on each host --with-tcpportrange 50000:50100
* AMANDA is configured on each host --with-udpportrange 700:710
* AMANDA is configured on each host --with-udpportrange 700:710
* The above ports are available and connection to these ports is successful




Line 55: Line 67:


=== IP Traffic ===
=== IP Traffic ===
'''Note! The following is probably not correct. Needs to be verified.'''
'''Could somebody with more knowledge of AMANDA please confirm?'''


Traffic is sent between the hosts in the following manner during the backup process.
Traffic is sent between the hosts in the following manner during the backup process.
Line 83: Line 91:




Will continue with iptables config once the above is confirmed...
=== Required Ports: Summary ===
 
In summary, therefore, we need to open up the following ports:
 
* '''TSHost''':
* '''LHost''': 
* '''FWHost''':
* '''RHost''':
 
 
Notes:
* We do not need to open 10080/udp on TSHost, since the request to 10080 comes from "localhost", and based on our assumptions above, all connections from localhost are accepted.
 
 
=== Additional Notes ===
 
Extracts from mailing list:
 
  Currently, amanda will try the tcpportrange/udpportrange first.  
  If it couldn't find an open port in that range, it will try to
  get ANY open port. In this case, it will fail in your firewall
  setup.
 
  I'm working to correct this mis-behavior.
 
  I am working on changing -with-tcpportrange, -with-updportrange
  to be configurable in amanda.conf. I likely need to split them
  into three categories:
 
      udp_privileged_port_range
      tcp_privileged_port_range {new}
      tcp_normal_port_range
 
  Will update with more information soon.
 
                                    -- Kevin Till

Revision as of 02:06, 6 December 2005

Configuration with iptables

Objective

The purpose of this page is to provide a quick recipe for configuring a firewall using iptables for use with AMANDA. The recipe here is minimalist, in that we open only ports that need to be opened, without any duplications.

More detailed information about port usage can be found in the AMANDA documentation.

Comments, corrections, and additional to the text are most welcome.


About the Author

This document was originally created by David Leangen. He had to himself configure his network and wanted to contribute back to the community by documenting his experience using iptables.

Please feel free to contact the author.


Assumptions

We assume the following:

  • a tape server host, TSHost, having IP address 192.168.2.2
  • TSHost is not directly connected to the Internet
  • TSHost is also an AMANDA backup client
  • firewall server FWHost with IP address 192.168.2.1
  • FWHost is also an AMANDA backup client
  • FWHost is accessible from the Internet through IP address 1.2.3.4
  • local host LHost with IP address 192.168.2.3
  • remote host RHost, accessible via 2.3.4.5
  • each host uses iptables
  • each host has a basic policy of "deny all incoming" and "accept all outgoing"
  • each host has a basic policy of "accept all from localhost"

Also:

  • AMANDA is configured on each host --with-tcpportrange 50000:50100
  • AMANDA is configured on each host --with-udpportrange 700:710
  • The above ports are available and connection to these ports is successful


                +---------+
                |  RHost  |
                | 2.3.4.5 |
                +---------+
                     |
                     |
                     |
                +-----------+
                |   FWHost  |
                |  1.2.3.4  |
                |192.168.2.1|
                +-----------+
                /         \
               /           \
              /             \
    +-----------+         +-----------+
    |   LHost   |         |   TSHost  |
    |192.168.2.3|         |192.168.2.2|
    +-----------+         +-----------+

Services Used

  • AMANDA tape server host: amandaidx (10082/tcp), amandatape (10083/tcp)
  • AMANDA client: amandad (10080/udp)

The port numbers here are the ports that these services are listening on.


IP Traffic

Traffic is sent between the hosts in the following manner during the backup process. 

 Waiting state:
      RHost listens on 10080/udp
      FWHost listens on 10080/udp
      LHost listens on 10080/udp
      TSHost listens on 10080/udp
 
 amdump process begins:
      TSHost sends request to RHost on port 10080/udp (via FWHost)
      TSHost sends request to FWHost on port 10080/udp
      TSHost sends request to LHost on port 10080/udp
      TSHost sends request to localhost on port 10080/udp
 
 amandad process begins on each client:
      xHost accepts request on 10080/upd
      xHost replies (sendbackup) to TSHost on a port in --with-tcpportrange

Traffic is sent between the hosts in the following manner during recovery. 

 ??? (Need somebody with more knowledge of AMANDA to explain)


Required Ports: Summary

In summary, therefore, we need to open up the following ports:

  • TSHost:
  • LHost:
  • FWHost:
  • RHost:


Notes:

  • We do not need to open 10080/udp on TSHost, since the request to 10080 comes from "localhost", and based on our assumptions above, all connections from localhost are accepted.


Additional Notes

Extracts from mailing list: 

 Currently, amanda will try the tcpportrange/udpportrange first. 
 If it couldn't find an open port in that range, it will try to 
 get ANY open port. In this case, it will fail in your firewall 
 setup.
 
 I'm working to correct this mis-behavior.
 
 I am working on changing -with-tcpportrange, -with-updportrange 
 to be configurable in amanda.conf. I likely need to split them 
 into three categories:
 
     udp_privileged_port_range
     tcp_privileged_port_range {new}
     tcp_normal_port_range
 
 Will update with more information soon.
 
                                   -- Kevin Till
Retrieved from ‘http://wiki.zmanda.com/index.php?title=How_To:Set_Up_iptables_for_Amanda&oldid=1776