LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
 
Search this Thread
Old 09-22-2006, 01:24 PM   #1
landev
Member
 
Registered: Aug 2006
Posts: 43

Rep: Reputation: 15
Backups across firewall "doable" w/iptables?


All,

The scenario:

I have several machines behind a firewall that need to be accessed for backup by a HP Dataprotector (port 5555) cell manager and associated media agents (tape libraries.) Until now I have been able to back up machines just fine that live behind a Sonicwall using the built-in 1:1 NAT. The problem is I am getting into quantities of data that make backing up through the 100Mbit connection of the Sonicwall very time consuming. The upshot is that I would like to get the same Gbit backup speed across the firewall that I have existing on the outside. I would like to take a currently underutilized server having 2-Gbit NICs and use iptables to do the 1:1 NAT that the Sonicwall was doing previously, if possible.

The problem:

I've no clue on how to do this. I am in the dark as how to have the cell manager find its way to the multiple machines it needs to access for backup.

Any info would be appreciated!
 
Old 09-22-2006, 02:12 PM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by landev
All,

The scenario:

I have several machines behind a firewall that need to be accessed for backup by a HP Dataprotector (port 5555) cell manager and associated media agents (tape libraries.) Until now I have been able to back up machines just fine that live behind a Sonicwall using the built-in 1:1 NAT. The problem is I am getting into quantities of data that make backing up through the 100Mbit connection of the Sonicwall very time consuming. The upshot is that I would like to get the same Gbit backup speed across the firewall that I have existing on the outside. I would like to take a currently underutilized server having 2-Gbit NICs and use iptables to do the 1:1 NAT that the Sonicwall was doing previously, if possible.

The problem:

I've no clue on how to do this. I am in the dark as how to have the cell manager find its way to the multiple machines it needs to access for backup.

Any info would be appreciated!
well, if you have to use port 5555 for each of them on the external side, then you're gonna need one external IP for each internal one... if, on the other hand, you can use different ports on the external side, then you'd only need one external IP to accomplish it...

for example (with one external IP for each internal one - and assuming eth0 is your WAN side and eth1 is your LAN side):
Code:
iptables -P FORWARD DROP

iptables -t nat -A PREROUTING -p TCP -i eth0 -d 10.1.1.1 \
--dport 5555 -j DNAT --to-destination 192.168.1.1

iptables -t nat -A PREROUTING -p TCP -i eth0 -d 10.1.1.2 \
--dport 5555 -j DNAT --to-destination 192.168.1.2

iptables -t nat -A PREROUTING -p TCP -i eth0 -d 10.1.1.3 \
--dport 5555 -j DNAT --to-destination 192.168.1.3

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.1 \
-j SNAT --to-source 10.1.1.1

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.2 \
-j SNAT --to-source 10.1.1.2

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.3 \
-j SNAT --to-source 10.1.1.3

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -p TCP -i eth0 -o eth1 --dport 5555 \
-d 192.168.1.1 -m state --state NEW -j ACCEPT

iptables -A FORWARD -p TCP -i eth0 -o eth1 --dport 5555 \
-d 192.168.1.2 -m state --state NEW -j ACCEPT

iptables -A FORWARD -p TCP -i eth0 -o eth1 --dport 5555 \
-d 192.168.1.3 -m state --state NEW -j ACCEPT
and with only *one* external IP for all internal boxes (using a different port for each box):
Code:
iptables -P FORWARD DROP

iptables -t nat -A PREROUTING -p TCP -i eth0 --dport 1111 \
-j DNAT --to-destination 192.168.1.1:5555

iptables -t nat -A PREROUTING -p TCP -i eth0 --dport 2222 \
-j DNAT --to-destination 192.168.1.2:5555

iptables -t nat -A PREROUTING -p TCP -i eth0 --dport 3333 \
-j DNAT --to-destination 192.168.1.3:5555

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -p TCP -i eth0 -o eth1 --dport 5555 \
-d 192.168.1.1 -m state --state NEW -j ACCEPT

iptables -A FORWARD -p TCP -i eth0 -o eth1 --dport 5555 \
-d 192.168.1.2 -m state --state NEW -j ACCEPT

iptables -A FORWARD -p TCP -i eth0 -o eth1 --dport 5555 \
-d 192.168.1.3 -m state --state NEW -j ACCEPT
in the first example, you'd be able to connect to a specific box by connecting to port 5555 on it's exclusively mapped external IP address (alias)...

in the second example, you'd be able to connect to a specific box by connecting to the mapped port of your preference on the (one) external IP address...

Last edited by win32sux; 09-22-2006 at 02:31 PM.
 
Old 09-27-2006, 04:48 PM   #3
landev
Member
 
Registered: Aug 2006
Posts: 43

Original Poster
Rep: Reputation: 15
To be continued....

Gracias! This looks like what I'm after... only I won't be able to confirm for a bit. I'm currently up to the skivies in aligators so will follow up on this as soon as I get a chance and let you know how things turn out. Thanks for the input!
 
Old 10-05-2006, 02:02 PM   #4
landev
Member
 
Registered: Aug 2006
Posts: 43

Original Poster
Rep: Reputation: 15
Well, I've had some time to devote to this puzzle, but haven't had much luck. I used the cookbook approach, using your 1:1 NAT example with addresses on both sides of the firewall. Seems like the firewall isn't routing the requests to the shielded machine. I suppose I may be doing something wrong, but have retried multiple times with no success. I remain mystified at this point.
 
Old 10-06-2006, 01:12 AM   #5
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by landev
Well, I've had some time to devote to this puzzle, but haven't had much luck. I used the cookbook approach, using your 1:1 NAT example with addresses on both sides of the firewall. Seems like the firewall isn't routing the requests to the shielded machine. I suppose I may be doing something wrong, but have retried multiple times with no success. I remain mystified at this point.
check if you have forwarding enabled in your kernel:
Code:
cat /proc/sys/net/ipv4/ip_forward
if you get a zero as output of that, then it's disabled... enable it with a:
Code:
echo "1" > /proc/sys/net/ipv4/ip_forward
to make the change "permanent", stick a line like this in your /etc/sysctl.conf file:
Code:
net/ipv4/ip_forward=1
 
Old 10-10-2006, 05:23 PM   #6
landev
Member
 
Registered: Aug 2006
Posts: 43

Original Poster
Rep: Reputation: 15
The fowarding is enabled and remains so after boot, so I guess that part is in place. Still don't seem to be able to route to the inside address though.
 
Old 10-10-2006, 06:22 PM   #7
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
make sure you're using the right interface names...

make sure you flushed all your rules before you applied these...

can't think of anything else right now... =/

BTW, which of the scripts are you using??
 
Old 10-13-2006, 10:03 AM   #8
landev
Member
 
Registered: Aug 2006
Posts: 43

Original Poster
Rep: Reputation: 15
The interface names are correct and I've done the flushing. I imagine the problem is something small that I'm overlooking... just can't think what it is. Part of the problem is that I haven't had a great deal of time to sit down and muscle through this (spread too damned thin at this job!) I will continue to play with this when I get more time and will let you know once things are working.

Not sure which scripts you are referring to...
 
Old 10-13-2006, 11:29 AM   #9
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by landev
The interface names are correct and I've done the flushing. I imagine the problem is something small that I'm overlooking... just can't think what it is. Part of the problem is that I haven't had a great deal of time to sit down and muscle through this (spread too damned thin at this job!) I will continue to play with this when I get more time and will let you know once things are working.
cool... if you can, post the output of:
Code:
iptables -L -v -n
and:
Code:
iptables -t nat -L -v -n
Quote:
Not sure which scripts you are referring to...
i posted two, one for if you have several external IPs, and one for if you have only one external IP...
 
Old 10-17-2006, 05:17 PM   #10
landev
Member
 
Registered: Aug 2006
Posts: 43

Original Poster
Rep: Reputation: 15
I used the script for multiple IPs.

The output of iptables -t nat -L -v -n is:

Chain PREROUTING (policy ACCEPT 82 packets, 12217 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- eth0 * 0.0.0.0/0 10.1.1.3 tcp dpt:5555 to:192.168.168.3
0 0 DNAT tcp -- eth0 * 0.0.0.0/0 10.1.1.7 tcp dpt:5555 to:192.168.168.7

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 SNAT all -- * eth0 192.168.168.3 0.0.0.0/0 to:10.1.1.3
0 0 SNAT all -- * eth0 192.168.168.7 0.0.0.0/0 to:10.1.1.7

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination


The output of iptables -t nat -L -v -n is:

Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 10.1.1.4 0.0.0.0/0 tcp flags:!0x16/0x02
0 0 ACCEPT udp -- * * 10.1.1.4 0.0.0.0/0
0 0 ACCEPT tcp -- * * 10.1.1.240 0.0.0.0/0 tcp flags:!0x16/0x02
0 0 ACCEPT udp -- * * 10.1.1.240 0.0.0.0/0
0 0 ACCEPT tcp -- * * 10.1.1.36 0.0.0.0/0 tcp flags:!0x16/0x02
0 0 ACCEPT udp -- * * 10.1.1.36 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5
3 540 DROP all -- eth0 * 0.0.0.0/0 255.255.255.255
53 8913 DROP all -- * * 0.0.0.0/0 10.1.1.255
0 0 DROP all -- * * 224.0.0.0/8 0.0.0.0/0
2 56 DROP all -- * * 0.0.0.0/0 224.0.0.0/8
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 LSI all -f * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5
0 0 INBOUND all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 INBOUND all -- eth1 * 0.0.0.0/0 192.168.168.3
0 0 INBOUND all -- eth1 * 0.0.0.0/0 10.1.1.3
0 0 INBOUND all -- eth1 * 0.0.0.0/0 192.168.168.255
0 0 LOG_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Unknown Input'

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5
0 0 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
0 0 OUTBOUND all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.168.0/24 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.168.0/24 state RELATED,ESTABLISHED
0 0 LOG_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Unknown Forward'
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- eth0 eth1 0.0.0.0/0 192.168.168.3 tcp dpt:5555 state NEW
0 0 ACCEPT tcp -- eth0 eth1 0.0.0.0/0 192.168.168.7 tcp dpt:5555 state NEW

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 10.1.1.3 10.1.1.4 tcp dpt:53
0 0 ACCEPT udp -- * * 10.1.1.3 10.1.1.4 udp dpt:53
0 0 ACCEPT tcp -- * * 10.1.1.3 10.1.1.240 tcp dpt:53
0 0 ACCEPT udp -- * * 10.1.1.3 10.1.1.240 udp dpt:53
0 0 ACCEPT tcp -- * * 10.1.1.3 10.1.1.36 tcp dpt:53
0 0 ACCEPT udp -- * * 10.1.1.3 10.1.1.36 udp dpt:53
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 224.0.0.0/8 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/8
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 OUTBOUND all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 OUTBOUND all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 LOG_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Unknown Output'

Chain INBOUND (4 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 10.1.1.0 0.0.0.0/0
0 0 ACCEPT all -- * * 10.1.2.0 0.0.0.0/0
0 0 ACCEPT all -- * * 10.1.3.0 0.0.0.0/0
0 0 ACCEPT all -- * * 10.1.4.0 0.0.0.0/0
0 0 ACCEPT all -- * * 192.168.168.0 0.0.0.0/0
0 0 ACCEPT all -- * * 10.1.1.28 0.0.0.0/0
0 0 ACCEPT tcp -- * * 10.1.1.0 0.0.0.0/0 tcp dpts:137:139
0 0 ACCEPT udp -- * * 10.1.1.0 0.0.0.0/0 udp dpts:137:139
0 0 ACCEPT tcp -- * * 10.1.1.0 0.0.0.0/0 tcp dpt:445
0 0 ACCEPT udp -- * * 10.1.1.0 0.0.0.0/0 udp dpt:445
0 0 LSI all -- * * 0.0.0.0/0 0.0.0.0/0

Chain LOG_FILTER (5 references)
pkts bytes target prot opt in out source destination

Chain LSI (2 references)
pkts bytes target prot opt in out source destination
0 0 LOG_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04
0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain LSO (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Outbound '
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain OUTBOUND (3 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
 
  


Reply

Tags
data


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Telling people to use "Google," to "RTFM," or "Use the search feature" Ausar General 77 03-21-2010 11:26 AM
Killing Modified File Auto Backups ("~") - Mandriva 2006 dalter Mandriva 2 06-29-2006 02:04 PM
internet works only when firewall is set to "no firewall" mymoon Linux - Security 1 05-07-2006 01:29 PM
How "low-level" is the dd-command? (Backups) JZL240I-U Linux - Software 11 05-28-2004 10:30 AM
Quesiton about "FIREWALL setting" in "SETUP"--please help out yuzuohong Linux - Networking 1 05-14-2002 11:42 PM


All times are GMT -5. The time now is 04:12 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration