Backup Central

Attachments: Message as HTML

Hi,
I'm trying to backup a server in an external zone.

Here's my setup :

Director is in machine located in the private network. Storage is (disk) on
another machine in the private network. Client is a machine in the external
lan. In between, there is another machine (let's call it FW for instance)
with an iptables script.

What's working :
I can connect to the client and run estimate Ok. Here's what I added to the
firewall to do so :

# Director communicates with external network
iptables -A INPUT -s $INTIP -d $EXTIP -m state --state NEW,ESTABLISHED -m
tcp -p tcp --dport 9102 -j ACCEPT

iptables -A FORWARD -s $EXTIP -d $INTIP -p tcp --dport 9102 -j ACCEPT
iptables -A FORWARD -d $EXTIP -s $INTIP -p tcp --sport 9102 -j ACCEPT

Where $INTP is the Director IP and $EXTIP the client machine.

Now, that's what I tried for the storage daemon :
iptables -A INPUT -s $INTIPSTOR -d $EXTIP -m state --state NEW,ESTABLISHED
-m tcp -p tcp --dport 9102 -j ACCEPT

iptables -A FORWARD -s $EXTIP -d $INTIPSTOR -p tcp --sport 9101:9103 -j
ACCEPT
iptables -A FORWARD -d $EXTIP -s $INTIPSTOR -p tcp ---sport 9101:9103 -j
ACCEPT

Where INTIPSTOR is the Storage daemon IP.

Unfortunately, that doesn't work and I fail to see why. Bacula says Storage
is waiting for client to connect to the storage daemon. Would you have any
idea ?

PS : of course, I have tried with machines in the internal zone and that
works fine, so I guess there's is something I don't get in the interactions
between fireawall and bacula.

Thanks for your ideas

Jean-François Leroux wrote:
Hi,
I'm trying to backup a server in an external zone.

Here's my setup :

Director is in machine located in the private network. Storage is (disk)
on another machine in the private network. Client is a machine in the
external lan. In between, there is another machine (let's call it FW for
instance) with an iptables script.

What's working :
I can connect to the client and run estimate Ok. Here's what I added to
the firewall to do so :

# Director communicates with external network
iptables -A INPUT -s $INTIP -d $EXTIP -m state --state NEW,ESTABLISHED
-m tcp -p tcp --dport 9102 -j ACCEPT

iptables -A FORWARD -s $EXTIP -d $INTIP -p tcp --dport 9102 -j ACCEPT
iptables -A FORWARD -d $EXTIP -s $INTIP -p tcp --sport 9102 -j ACCEPT

Where $INTP is the Director IP and $EXTIP the client machine.

Now, that's what I tried for the storage daemon :
iptables -A INPUT -s $INTIPSTOR -d $EXTIP -m state --state
NEW,ESTABLISHED -m tcp -p tcp --dport 9102 -j ACCEPT

iptables -A FORWARD -s $EXTIP -d $INTIPSTOR -p tcp --sport 9101:9103 -j
ACCEPT
iptables -A FORWARD -d $EXTIP -s $INTIPSTOR -p tcp ---sport 9101:9103 -j
ACCEPT

Where INTIPSTOR is the Storage daemon IP.

Unfortunately, that doesn't work and I fail to see why. Bacula says
Storage is waiting for client to connect to the storage daemon. Would
you have any idea ?

PS : of course, I have tried with machines in the internal zone and that
works fine, so I guess there's is something I don't get in the
interactions between fireawall and bacula.

Thanks for your ideas :)


VPN?

--
bEsT rEgArDs | "Confidence is what you have before you
tomasz dereszynski | understand the problem." -- Woody Allen
TD840-RIPE |

Attachments: Message as HTML

?

2007/6/17, tomasz <tomaszd < at > pa...>:

Jean-Fran=E7ois Leroux wrote:
Hi,
I'm trying to backup a server in an external zone.

Here's my setup :

Director is in machine located in the private network. Storage is (disk=
)
on another machine in the private network. Client is a machine in the
external lan. In between, there is another machine (let's call it FW fo=
r
instance) with an iptables script.

What's working :
I can connect to the client and run estimate Ok. Here's what I added to
the firewall to do so :

# Director communicates with external network
iptables -A INPUT -s $INTIP -d $EXTIP -m state --state NEW,ESTABLISHED
-m tcp -p tcp --dport 9102 -j ACCEPT

iptables -A FORWARD -s $EXTIP -d $INTIP -p tcp --dport 9102 -j ACCEPT
iptables -A FORWARD -d $EXTIP -s $INTIP -p tcp --sport 9102 -j ACCEPT

Where $INTP is the Director IP and $EXTIP the client machine.

Now, that's what I tried for the storage daemon :
iptables -A INPUT -s $INTIPSTOR -d $EXTIP -m state --state
NEW,ESTABLISHED -m tcp -p tcp --dport 9102 -j ACCEPT

iptables -A FORWARD -s $EXTIP -d $INTIPSTOR -p tcp --sport 9101:9103 -j
ACCEPT
iptables -A FORWARD -d $EXTIP -s $INTIPSTOR -p tcp ---sport 9101:9103 -=
j
ACCEPT

Where INTIPSTOR is the Storage daemon IP.

Unfortunately, that doesn't work and I fail to see why. Bacula says
Storage is waiting for client to connect to the storage daemon. Would
you have any idea ?

PS : of course, I have tried with machines in the internal zone and tha=
t
works fine, so I guess there's is something I don't get in the
interactions between fireawall and bacula.

Thanks for your ideas :)


VPN?


--
bEsT rEgArDs | "Confidence is what you have before you
tomasz dereszynski | understand the problem." -- Woody Allen
TD840-RIPE |

Hi,

On 6/16/2007 6:14 PM, Jean-Fran=E7ois Leroux wrote:
Hi,
I'm trying to backup a server in an external zone.
=20
Here's my setup :
=20
Director is in machine located in the private network. Storage is (disk=
)=20
on another machine in the private network. Client is a machine in the=20
external lan. In between, there is another machine (let's call it FW fo=
r=20
instance) with an iptables script.
=2E..
Now, that's what I tried for the storage daemon :
iptables -A INPUT -s $INTIPSTOR -d $EXTIP -m state --state=20
NEW,ESTABLISHED -m tcp -p tcp --dport 9102 -j ACCEPT
=20
iptables -A FORWARD -s $EXTIP -d $INTIPSTOR -p tcp --sport 9101:9103 -j=
=20
ACCEPT
iptables -A FORWARD -d $EXTIP -s $INTIPSTOR -p tcp ---sport 9101:9103 -=
j=20
ACCEPT
=20
Where INTIPSTOR is the Storage daemon IP.
=20
Unfortunately, that doesn't work and I fail to see why. Bacula says=20
Storage is waiting for client to connect to the storage daemon. Would=20
you have any idea ?

I haven't verified this, but it might help to allow connections from the =

FD on extip to INTIP port 9103. If I understand your setup correctly,=20
you allow connections from EXTIP:9101-9103, but I guess the FD will not=20
necessarily use that source port range.

PS : of course, I have tried with machines in the internal zone and tha=
t=20
works fine, so I guess there's is something I don't get in the=20
interactions between fireawall and bacula.

Well, just observe from what port the FD initiates its connection to the =

SD...

Thanks for your ideas :)

Hope it helps,

Arno

=20
-----------------------------------------------------------------------=
-
=20
-----------------------------------------------------------------------=
--
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
=20
=20
-----------------------------------------------------------------------=
-
=20
_______________________________________________
Bacula-users mailing list
Bacula-users < at > li...
https://lists.sourceforge.net/lists/listinfo/bacula-users

--=20
IT-Service Lehmann al < at > it...
Arno Lehmann http://www.its-lehmann.de

On Sat, 16 Jun 2007 18:14:09 +0200, Jean-François Leroux said:

Hi,
I'm trying to backup a server in an external zone.

Here's my setup :

Director is in machine located in the private network. Storage is (disk) on
another machine in the private network. Client is a machine in the external
lan. In between, there is another machine (let's call it FW for instance)
with an iptables script.

What's working :
I can connect to the client and run estimate Ok. Here's what I added to the
firewall to do so :

# Director communicates with external network
iptables -A INPUT -s $INTIP -d $EXTIP -m state --state NEW,ESTABLISHED -m
tcp -p tcp --dport 9102 -j ACCEPT

iptables -A FORWARD -s $EXTIP -d $INTIP -p tcp --dport 9102 -j ACCEPT
iptables -A FORWARD -d $EXTIP -s $INTIP -p tcp --sport 9102 -j ACCEPT

Where $INTP is the Director IP and $EXTIP the client machine.

Now, that's what I tried for the storage daemon :
iptables -A INPUT -s $INTIPSTOR -d $EXTIP -m state --state NEW,ESTABLISHED
-m tcp -p tcp --dport 9102 -j ACCEPT

iptables -A FORWARD -s $EXTIP -d $INTIPSTOR -p tcp --sport 9101:9103 -j
ACCEPT
iptables -A FORWARD -d $EXTIP -s $INTIPSTOR -p tcp ---sport 9101:9103 -j
ACCEPT

Where INTIPSTOR is the Storage daemon IP.

Unfortunately, that doesn't work and I fail to see why. Bacula says Storage
is waiting for client to connect to the storage daemon. Would you have any
idea ?

I think you have the storage daemon rules backwards -- the file daemon
connects to storage daemon, so you need to map ext->int for dport 9103 (not
sport and not 9102).

Note that the Director tells the file daemon to connect to the storage daemon
using the Address field in the director's Storage resource. This needs to be
an external address (or map to one via DNS).

__Martin

Attachments: Message as HTML

Found it : the SD machine had a wrong gateway. TCP handshake could never
finish because the answer was sent to the wrong IP. Since the packet was
never received, I had nothing in the FW log... I just added a route for the
client with the correct gateway (the firewall) and everything's fine (cannot
change the server gateway itself, but it's too long to tell).

Anyways, thanks to all for your answers and help.