How To:Set Up iptables for Amanda
Configuration with iptables
Objective
The purpose of this page is to provide a quick recipe for configuring a firewall using iptables for use with AMANDA. The recipe here is minimalist, in that we open only ports that need to be opened, without any duplications.
More detailed information about port usage can be found in the AMANDA documentation.
Comments, corrections, and additional to the text are most welcome.
About the Author
This document was originally created by David Leangen. He had to himself configure his network and wanted to contribute back to the community by documenting his experience using iptables.
Please feel free to contact the author.
Assumptions
We assume the following:
- a tape server host, TSHost, having IP address 192.168.2.2
- TSHost is not directly connected to the Internet
- TSHost is also an AMANDA backup client
- firewall server FWHost with IP address 192.168.2.1
- FWHost is also an AMANDA backup client
- FWHost is accessible from the Internet through IP address 1.2.3.4
- local host LHost with IP address 192.168.2.3
- remote host RHost, accessible via 2.3.4.5
- each host uses iptables
- each host has a basic policy of "deny all incoming" and "accept all outgoing"
- each host has a basic policy of "accept all from localhost"
Also:
- AMANDA is configured on each host --with-tcpportrange 50000:50100
- AMANDA is configured on each host --with-udpportrange 700:710
- The above ports are available and connection to these ports is successful
+---------+
| RHost |
| 2.3.4.5 |
+---------+
|
|
|
+-----------+
| FWHost |
| 1.2.3.4 |
|192.168.2.1|
+-----------+
/ \
/ \
/ \
+-----------+ +-----------+
| LHost | | TSHost |
|192.168.2.3| |192.168.2.2|
+-----------+ +-----------+
Services Used
- AMANDA tape server host: amandaidx (10082/tcp), amandatape (10083/tcp)
- AMANDA client: amandad (10080/udp)
The port numbers here are the ports that these services are listening on.
IP Traffic
Traffic is sent between the hosts in the following manner during the backup process.
Waiting state:
RHost listens on 10080/udp
FWHost listens on 10080/udp
LHost listens on 10080/udp
TSHost listens on 10080/udp
amdump process begins:
TSHost sends request to RHost on port 10080/udp (via FWHost)
TSHost sends request to FWHost on port 10080/udp
TSHost sends request to LHost on port 10080/udp
TSHost sends request to localhost on port 10080/udp
amandad process begins on each client:
xHost accepts request on 10080/upd
xHost replies (sendbackup) to TSHost on a port in --with-tcpportrange
Traffic is sent between the hosts in the following manner during recovery.
??? (Need somebody with more knowledge of AMANDA to explain)
Required Ports: Summary
In summary, therefore, we need to open up the following ports:
- TSHost:
- LHost:
- FWHost:
- RHost:
Notes:
- We do not need to open 10080/udp on TSHost, since the request to 10080 comes from "localhost", and based on our assumptions above, all connections from localhost are accepted.
Additional Notes
Extracts from mailing list:
Currently, amanda will try the tcpportrange/udpportrange first.
If it couldn't find an open port in that range, it will try to
get ANY open port. In this case, it will fail in your firewall
setup.
I'm working to correct this mis-behavior.
I am working on changing -with-tcpportrange, -with-updportrange
to be configurable in amanda.conf. I likely need to split them
into three categories:
udp_privileged_port_range
tcp_privileged_port_range {new}
tcp_normal_port_range
Will update with more information soon.
-- Kevin Till