iptables and symantec remote agent

edashcraft · 04-15-2014, 04:33 PM

i'm running the symantec remote agent for linux on a rhel 4 box. the media server is a windows server running symantec backupexec 2010. my backup jobs had been running flawlessly for years. about a month ago they started failing with an error message could not connect to remote host. symantec uses port 10000 to communicate with to the ralus agent on rhel 4. that stopped working and we cannot determine why. if i stop iptables, the connection returns and i can run my backup jobs again. i have tried adding the allow line in iptables which did not work. not sure if it was the syntax i used or where in iptables i placed the line. i'm still at a loss as to why the connection stopped working. i made no changes to the server in any way.

here is my current iptables:
# Generated by iptables-save v1.2.11 on Sun Apr 13 08:41:42 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [526:72198]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-crypt -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-auth -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 23 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Sun Apr 13 08:41:42 2014

i have an open ticket with both redhat and symantec. unfortunately, we have gone nowhere fast.

if anyone can shed some light on this i would greatly appreciate it.

thank you
ed

unSpawn · 04-15-2014, 05:31 PM

First question: so what happened about a month ago? Should be something: updates, re-configuration, anything. Check for mtimes / log contents. If nothing make it log more verbosely. That said the single best way to troubleshoot iptables rule sets is to use "-j LOG" rules to actually log what traffic gets dropped / rejected. In your case it's kind of odd since you have a default filter table INPUT chain policy of "accept", but anyway:

Code:

# Generated by iptables-save v1.2.11 on Sun Apr 13 08:41:42 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [526:72198]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-crypt -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-auth -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 23 -j ACCEPT
-A RH-Firewall-1-INPUT -j LOG --log-prefix "REJECTED "
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Sun Apr 13 08:41:42 2014

then check your /var/log/messages.

edashcraft · 04-16-2014, 08:18 AM

thank you. i agree, it is very, very strange. i am the admin on this box and i can say without hesitation or doubt that i made no changes. this is a production server that is in use 24/7. any changes/modification/updates are done in a very narrow time time window. there has been no time window in the past year. that being said, this is not the first time, or the only rhel4 box i have that has done this. the other rhel4 box started working as mysteriously as it stopped. anyway, thank you for your reply. i will try the log output and let you know the results.