This section makes the following assumptions
There are two methods to use iptables for Amanda backup process.
This approach uses the iptable connection tracking module for Amanda, ip_conntrack_amanda. The connection tracking module finds the connection ports by searching for the "CONNECT" command in the packet and mark them as RELATED to the original outgoing connection. (You may also add ip_nat_amanda to use the connection tracking module in a NAT environment).
Fedora/Redhat distributions: /etc/sysconfig/iptables-config file should have IPTABLES_MODULES="ip_conntrack_amanda"
Example: iptables command to add the ruleset
# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Example: Restart iptables command
Redhat/Fedora distributions: # service iptables restart
Example: System log messages when Amanda client sends following command to Amanda server:
CONNECT DATA 11001 MESG 11003 INDEX 11004
Amanda client log
amandad: time 1.381: stream_accept: connection from 192.168.10.237.11053 amandad: time 1.383: stream_accept: connection from 192.168.10.237.11054 amandad: time 1.390: stream_accept: connection from 192.168.10.237.11055
Amanda server log
dumper: stream_client: connected to 192.168.10.211.11001 dumper: stream_client: our side is 0.0.0.0.11053 dumper: stream_client: connected to 192.168.10.211.11003 dumper: stream_client: our side is 0.0.0.0.11054 dumper: stream_client: connected to 192.168.10.211.11004 dumper: stream_client: our side is 0.0.0.0.11055
Example: Allow incoming connections through TCP using port 11000 to 11040
# iptables -A INPUT -p tcp --dport 11000:11040 -j ACCEPT
# iptables -A INPUT -p udp --dport 10080 -j ACCEPT # iptables -A INPUT -p tcp --dport 11000:11040 -j ACCEPT
IP tables connection tracking module does not work for recovery process. Configure IP tables rule sets.
iptables -A INPUT -p tcp --dport 10082:10083 -j ACCEPT iptables -A INPUT -p tcp --dport 11000:11040 -j ACCEPT