Problem with ip_nat_amanda

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi all,

Iâm going into troubles using the new ip_nat_amanda module, it seems to correctly translate my internal IP into the nat-ext if. IP with âmaster connectionsâ (UDP port 10080), but no translation is done for the TCP ones, as you can see from sendbackup log. Now Amanda works if the client on the external net knows how to reach the IP of the internal server, this is good, but not very elegant for a nat implementation.
All machines use Kernel is 2.4.20-13.8 from RHNet, but I have made a custom and patched 2.4.20-9 and found the same problem.
I am thinking on a problem of the ip_nat_amanda module because otherwise the my nat works great.
Can someone help me?


Thank,
           Alessandro


Network diagram:


amanda client
       |
       | nat-ext. if.
     nat
       | nat-int. if.
       | 192.168.1.1
amanda server

iptables script:

...

FWD=`cat /proc/sys/net/ipv4/ip_forward`
echo "0" > /proc/sys/net/ipv4/ip_forward

echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

echo 0 > /proc/sys/net/ipv4/conf/all/log_martians

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout

echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl


$IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP


MODULE_DIR="/lib/modules/`uname -r`/kernel/net/ipv4/netfilter/" MODULES=`(cd $MODULE_DIR; ls *_conntrack_* *_nat_* | sed 's/\.o.*$//')`
for module in $(echo $MODULES); do if $LSMOD | grep ${module} >/dev/null; then continue; fi
if [ -e "${MODULE_DIR}/${module}.o" -o -e "${MODULE_DIR}/${module}.o.gz" ]; then $MODPROBE ${module} || exit 1 fi done



#
# Rule 0(NAT)
# # $IPTABLES -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 --destination-port 80 -j REDIRECT --to-ports 8080 #
# Rule 1(NAT)
# # $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source <nat-ext. if> #
#



$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

...

# Rule 1(global)
# # $IPTABLES -A INPUT -p tcp -m multiport -s <nat-ext. if> --destination-ports 80,443,53,22,25 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p tcp -m multiport -s 192.168.0.2 --destination-ports 80,443,53,22,25 -m state --state NEW -j ACCEPT $IPTABLES -N Cid3DE1F6A4.0
$IPTABLES -A INPUT -p udp -m multiport --destination-ports 53,123 -m state --state NEW -j Cid3DE1F6A4.0 $IPTABLES -A Cid3DE1F6A4.0 -s <nat-ext. if> -m state --state NEW -j ACCEPT $IPTABLES -A Cid3DE1F6A4.0 -s 192.168.0.2 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -p tcp -m multiport --destination-ports 80,443,53,22,25 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -p udp -m multiport --destination-ports 53,123 -m state --state NEW -j ACCEPT


...
# Rule 8(global)
# $IPTABLES -N RULE_8
$IPTABLES -A INPUT -s 192.168.1.0/24 -m state --state NEW -j RULE_8 $IPTABLES -A RULE_8 -m limit --limit 5/second -j LOG --log-level info --log-prefix "RULE 8 -- ACCEPT " $IPTABLES -A RULE_8 -j ACCEPT # Rule 13(global)
# # $IPTABLES -A INPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 192.168.1.0/24 -m state --state NEW -j ACCEPT # # Rule 14(global)
# $IPTABLES -N RULE_14
$IPTABLES -A OUTPUT -j RULE_14 $IPTABLES -A INPUT -j RULE_14 $IPTABLES -A FORWARD -j RULE_14 $IPTABLES -A RULE_14 -m limit --limit 5/second -j LOG --log-level info --log-prefix "RULE 14 -- DROP " $IPTABLES -A RULE_14 -j DROP #
#
echo 1 > /proc/sys/net/ipv4/ip_forward





----- amandad log:


amandad: debug 1 pid 17674 ruid 33 euid 33 start time Fri May 23 21:00:00 2003
amandad: version 2.4.2p2
amandad: build: VERSION="Amanda-2.4.2p2"
amandad:        BUILT_DATE="Sun Jun 23 09:39:09 EDT 2002"
amandad:        BUILT_MACH="Linux perf90.perf.redhat.com 2.4.18-5smp #1 SMP Mon Jun 10 15:19:40 EDT 2002 i686 unknown"
amandad:        CC="gcc"
amandad: paths: bindir="/usr/bin" sbindir="/usr/sbin"
amandad:        libexecdir="/usr/lib/amanda" mandir="/usr/share/man"
amandad:        AMANDA_TMPDIR="/tmp/amanda" AMANDA_DBGDIR="/tmp/amanda"
amandad:        CONFIG_DIR="/etc/amanda" DEV_PREFIX="/dev/"
amandad:        RDEV_PREFIX="/dev/r" DUMP="/sbin/dump"
amandad:        RESTORE="/sbin/restore" SAMBA_CLIENT="/usr/bin/smbclient"
amandad:        GNUTAR="/bin/tar" COMPRESS_PATH="/bin/gzip"
amandad:        UNCOMPRESS_PATH="/bin/gzip" MAILER="/usr/bin/Mail"
amandad:        listed_incr_dir="/var/lib/amanda/gnutar-lists"
amandad: defs:  DEFAULT_SERVER="localhost" DEFAULT_CONFIG="DailySet1"
amandad:        DEFAULT_TAPE_SERVER="localhost"
amandad:        DEFAULT_TAPE_DEVICE="/dev/null" HAVE_MMAP HAVE_SYSVSHM
amandad:        LOCKING=POSIX_FCNTL SETPGRP_VOID DEBUG_CODE
amandad:        AMANDA_DEBUG_DAYS=4 BSD_SECURITY USE_AMANDAHOSTS
amandad:        CLIENT_LOGIN="amanda" FORCE_USERID HAVE_GZIP
amandad:        COMPRESS_SUFFIX=".gz" COMPRESS_FAST_OPT="--fast"
amandad:        COMPRESS_BEST_OPT="--best" UNCOMPRESS_OPT="-dc"
got packet:
--------
Amanda 2.4 REQ HANDLE 005-10680608 SEQ 1053716405
SECURITY USER amanda
SERVICE sendsize
OPTIONS maxdumps=5;hostname=<amanda client>;
GNUTAR / 0 1970:1:1:0:0:0 -1 exclude-file=./amhdisk
GNUTAR / 1 2003:5:21:19:7:10 -1 exclude-file=./amhdisk
--------

sending ack:
----
Amanda 2.4 ACK HANDLE 005-10680608 SEQ 1053716405
----

bsd security: remote host <nat-ext.if> user amanda local user amanda
amandahosts security check passed
amandad: running service "/usr/lib/amanda/sendsize"
amandad: sending REP packet:
----
Amanda 2.4 REP HANDLE 005-10680608 SEQ 1053716405
OPTIONS maxdumps=5;
/ 0 SIZE 5145230
/ 1 SIZE 2825450
----

amandad: got packet:
----
Amanda 2.4 ACK HANDLE 005-10680608 SEQ 1053716405
----

amandad: pid 17674 finish time Fri May 23 21:01:38 2003


------ sendbackup log:


sendbackup: debug 1 pid 17707 ruid 33 euid 33 start time Fri May 23 21:07:05 2003

/usr/lib/amanda/sendbackup: version 2.4.2p2
sendbackup: got input request: GNUTAR / 1 2003:5:21:19:7:10 OPTIONS |;bsd-auth;compress-fast;index;exclude-file=./amhdisk;
 parsed request as: program `GNUTAR'
                    disk `/'
                    lev 1
                    since 2003:5:21:19:7:10
                    opt `|;bsd-auth;compress-fast;index;exclude-file=./amhdisk;'
sendbackup: try_socksize: send buffer size is 65536
sendbackup: stream_server: waiting for connection: 0.0.0.0.41834
sendbackup: stream_server: waiting for connection: 0.0.0.0.41835
sendbackup: stream_server: waiting for connection: 0.0.0.0.41836
 waiting for connect on 41834, then 41835, then 41836
sendbackup: stream_accept: connection from 192.168.1.1.33517 <--------------------- instead of <nat-ext.if>
sendbackup: stream_accept: connection from 192.168.1.1.33521 <--------------------- instead of <nat-ext.if>
sendbackup: stream_accept: connection from 192.168.1.1.33524 <--------------------- instead of <nat-ext.if>
got all connections
sendbackup: spawning /bin/gzip in pipeline
sendbackup: argument list: /bin/gzip --fast
sendbackup-gnutar: pid 17708: /bin/gzip --fast
sendbackup-gnutar: doing level 1 dump as listed-incremental from /var/lib/amanda/gnutar-lists/<amanda client>__0 to /var/lib/amanda/gnutar-lists/<amanda client>__1.new
sendbackup-gnutar: doing level 1 dump from date: 2003-05-21 19:07:11 GMT
sendbackup: spawning /usr/lib/amanda/runtar in pipeline
sendbackup: argument list: gtar --create --file - --directory / --one-file-system --listed-incremental /var/lib/amanda/gnutar-lists/<amanda client>__1.new --sparse --ignore-failed-read --totals --exclude ./amhdisk .
sendbackup: started index creator: "/bin/tar -tf - 2>/dev/null | sed -e 's/^\.//'"
sendbackup-gnutar: /usr/lib/amanda/runtar: pid 17710
sendbackup: index created successfully
sendbackup: pid 17707 finish time Fri May 23 21:28:18 2003






[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux