Page last modified 17:48, 3 May 2006 by Ppragin?
Zmanda Documentation > Configuring firewall using iptables between Amanda server and client

Configuring firewall using iptables between Amanda server and client

This section makes the following assumptions

  • Each host has a basic policy of "deny all incoming" and "accept all outgoing"
  • Each host has a basic policy of "accept all from localhost"
  • Amanda Enterprise Edition has been installed on the Amanda server and client.

There are two methods to use iptables for Amanda backup process.

1. IP tables connection using tracking module for Amanda

This approach uses the iptable connection tracking module for Amanda, ip_conntrack_amanda. The connection tracking module finds the connection ports by searching for the "CONNECT" command in the packet and mark them as RELATED to the original outgoing connection. (You may also add ip_nat_amanda to use the connection tracking module in a NAT environment).


  • To load ip_conntrack_amanda, Change the following line in
Fedora/Redhat distributions: /etc/sysconfig/iptables-config file should have IPTABLES_MODULES="ip_conntrack_amanda" 
  • Add a iptables ruleset to allow ESTABLISHED and RELATED packets.

Example: iptables command to add the ruleset

# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
  • Restart iptables

Example: Restart iptables command

Redhat/Fedora distributions: # service iptables restart

Example: System log messages when Amanda client sends following command to Amanda server:

 CONNECT DATA 11001 MESG 11003 INDEX 11004

Amanda client log

 amandad: time 1.381: stream_accept: connection from 192.168.10.237.11053
 amandad: time 1.383: stream_accept: connection from 192.168.10.237.11054
 amandad: time 1.390: stream_accept: connection from 192.168.10.237.11055

Amanda server log

dumper: stream_client: connected to 192.168.10.211.11001
dumper: stream_client: our side is 0.0.0.0.11053
dumper: stream_client: connected to 192.168.10.211.11003
dumper: stream_client: our side is 0.0.0.0.11054
dumper: stream_client: connected to 192.168.10.211.11004
dumper: stream_client: our side is 0.0.0.0.11055


2. iptables rulesets without tracking module for Amanda
  • Set input filtering on the backup server for the ports being used.

Example: Allow incoming connections through TCP using port 11000 to 11040

# iptables -A INPUT -p tcp --dport 11000:11040 -j ACCEPT
  • Set input filtering on Amanda client for the ports being used.
# iptables -A INPUT -p udp --dport 10080 -j ACCEPT
# iptables -A INPUT -p tcp --dport 11000:11040 -j ACCEPT
3. Backup recovery process using amrecover

IP tables connection tracking module does not work for recovery process. Configure IP tables rule sets.

  • Amanda server:
iptables -A INPUT -p tcp --dport 10082:10083 -j ACCEPT
iptables -A INPUT -p tcp --dport 11000:11040 -j ACCEPT
  • Amanda client: amrecover process is initiated from the Amanda client, no INPUT iptables ruleset is required.