How To:Set Up iptables for Amanda: Difference between revisions

Objective

The purpose of this page is to provide a quick recipe for configuring a firewall using iptables for use with AMANDA. The recipe here is minimalist, in that we open only ports that need to be opened, without any duplications.

More detailed information about port usage can be found in the AMANDA documentation.

Comments, corrections, and additional to the text are most welcome.

About the Author

This document was originally created by David Leangen. He had to himself configure his network and wanted to contribute back to the community by documenting his experience using iptables.

Please feel free to directly contact the author. (Note, however, that I use a whitelist filter and challenge/response system, so if you don't like these systems, please write to the list.)

Assumptions

We assume the following:

• a tape server host, TSHost, having IP address 192.168.2.2
• TSHost is not directly connected to the Internet
• TSHost is also an AMANDA backup client
• firewall server FWHost with IP address 192.168.2.1
• FWHost is also an AMANDA backup client
• FWHost is accessible from the Internet through IP address 1.2.3.4
• local host LHost with IP address 192.168.2.3
• remote host RHost, accessible via 2.3.4.5
• each host uses iptables
• each host has a basic policy of "deny all incoming" and "accept all outgoing"
• each host has a basic policy of "accept all from localhost"

Also:

• AMANDA is configured on each host --with-tcpportrange 50000:50100
• AMANDA is configured on each host --with-udpportrange 700:710
• The above ports are available and connection to these ports is successful

Note: For now, this document ONLY covers the backup process, no recovery.

                +---------+
                |  RHost  |
                | 2.3.4.5 |
                +---------+
                     |
                     |
                     |
                +-----------+
                |   FWHost  |
                |  1.2.3.4  |
                |192.168.2.1|
                +-----------+
                /         \
               /           \
              /             \
    +-----------+         +-----------+
    |   LHost   |         |   TSHost  |
    |192.168.2.3|         |192.168.2.2|
    +-----------+         +-----------+
 

Services Used

• AMANDA tape server host: amandaidx (10082/tcp), amandatape (10083/tcp)
• AMANDA client: amandad (10080/udp)

The port numbers here are the ports that these services are listening on.

IP Traffic

Traffic is sent between the hosts in the following manner during the backup process.

 Waiting state:
      RHost listens on 10080/udp
      FWHost listens on 10080/udp
      LHost listens on 10080/udp
      TSHost listens on 10080/udp
 
 amdump process begins:
      TSHost sends request to RHost on port 10080/udp (via FWHost)
      TSHost sends request to FWHost on port 10080/udp
      TSHost sends request to LHost on port 10080/udp
      TSHost sends request to localhost on port 10080/udp
 
 amandad process begins on each client:
      xHost accepts request on 10080/upd
      xHost replies (sendbackup) to TSHost on a port in --with-tcpportrange

Traffic is sent between the hosts in the following manner during recovery.

  1) amrecover using TCP privileged port connects to index server(amindexd) on port 10082
  2) at the same time, amrecover using TCP privileged port connects to taper server(amidxtaped) on port 10083
  3) recovered data is sent from server using TCP port to client's TCP privileged port
      below is the iptables LOG on a amreover session:
Jan 11 11:19:23 boston kernel: amanda high: IN=eth0 OUT= MAC=00:90:f5:3c:de:6d:00:0c:29:d7:98:6c:08:00 SRC=192.168.10.211              
DST=192.168.10.237 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9053 DF PROTO=TCP SPT=586 DPT=10082 WINDOW=5840 RES=0x00 SYN URGP=0
Jan 11 11:20:02 boston kernel: amanda high: IN=eth0 OUT= MAC=00:90:f5:3c:de:6d:00:0c:29:d7:98:6c:08:00 SRC=192.168.10.211
DST=192.168.10.237 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8442 DF PROTO=TCP SPT=642 DPT=10083 WINDOW=5840 RES=0x00 SYN URGP=0
Jan 11 11:20:02 boston kernel: amanda low: IN=eth0 OUT= MAC=00:90:f5:3c:de:6d:00:0c:29:d7:98:6c:08:00 SRC=192.168.10.211
DST=192.168.10.237 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=48387 DF PROTO=TCP SPT=643 DPT=1130 WINDOW=5840 RES=0x00 SYN URGP=0

Required Ports: Summary

In summary, therefore, we need to open up the following ports:

Incoming:

• TSHost: 50000:50100/tcp
• LHost: 10080/udp
• FWHost: 10080/udp
• RHost: 10080/udp

Outgoing:

• TSHost: 10080/udp
• LHost: 50000:50100/tcp
• FWHost: 50000:50100/tcp
• RHost: 50000:50100/tcp

Notes:

• We do not need to open 10080/udp on TSHost, since the request to 10080 comes from "localhost", and based on our assumptions above, all connections from localhost are accepted.

iptables Configuration

TSHost

We want to open up udp traffic to ports 50000:50100 with the restriction that the source hosts all reside on the local network (192.168.*.*). Note that this works for the remote host as well because, as we document later, packets from RHost are NATted on the firewall.

 iptables -t filter -A INPUT -p tcp -s 129.168.0.0/16 -m tcp --dport 50000:50100 -j ACCEPT

That's it!

LHost

A local host is also quite easy to setup. We only need to listen from a connection from TSHost to port 10080/udp.

 iptables -t filter -A INPUT -p udp -m udp -s 192.168.2.2 --dport 10080 -j ACCEPT

So far, so good!

RHost

From the remote host's perspective, the only differece between it and a local host is that rather than seeing traffic originating from 192.168.2.2 on the local network, it sees the request as coming from 1.2.3.4. This is simply because the packets were NATted by the firewall.

 iptables -t filter -A INPUT -p udp -m udp -s 1.2.3.4 --dport 10080 -j ACCEPT

No problem, right?

FWHost

We leave the firewall for last, since it is by far the most complex.

Essentially, all we want to do is NAT the packets going in and out of the local network, but without "interfering" with any of the packets that remain within the local network. It turns out that this is not so difficult to accomplish.

First, we translate incoming packets from RHost.

 iptables -t nat -A PREROUTING -p tcp -s 2.3.4.5 --dport 50000:50100 -j DNAT --to 192.168.2.2

Next, we masquerade all outgoing traffic, if you have not done so already.

 iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

Of course, we must not forget that the firewall is itself a backup client. This is done exactly the same way as with LHost, since FWHost is also a local host.

 iptables -t filter -A INPUT -p udp -m udp -s 192.168.2.2 --dport 10080 -j ACCEPT

There, that wasn't so bad, was it?

Additional Notes

Extracts from mailing list:

 Currently, amanda will try the tcpportrange/udpportrange first. 
 If it couldn't find an open port in that range, it will try to 
 get ANY open port. In this case, it will fail in your firewall 
 setup.
 
 I'm working to correct this mis-behavior.
 
 I am working on changing -with-tcpportrange, -with-updportrange 
 to be configurable in amanda.conf. I likely need to split them 
 into three categories:
 
     udp_privileged_port_range
     tcp_privileged_port_range {new}
     tcp_normal_port_range
 
 Will update with more information soon.
 
                                   -- Kevin Till

References

• AMANDA documentation, especially the port usage page
• netfilter (iptables project), especially the NAT HOWTO

Wish List

Add to this list what you would like to see on this page.

Positive feedback that it can handle all the situations:

• server behind firewall, client in dmz, client on the internet
• server behind NAT, client behind NAT, both behind NAT
• amrecover in all the situations above