NetBackup and linux iptables firewall - Veritas Net Backup

This is a discussion on NetBackup and linux iptables firewall - Veritas Net Backup ; Can anyone give me an example of an iptables rule set that successfully allows NetBackup through? This is what my current config looks like: # Firewall configuration # Use this script for testing purposes *filter :INPUT DROP [0:0] :FORWARD DROP ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: NetBackup and linux iptables firewall

  1. NetBackup and linux iptables firewall


    Can anyone give me an example of an iptables rule set that successfully allows
    NetBackup through? This is what my current config looks like:

    # Firewall configuration
    # Use this script for testing purposes
    *filter
    :INPUT DROP [0:0]
    :FORWARD DROP [0:0]
    :OUTPUT DROP [0:0]

    # allow local loopback connections
    -A INPUT -i lo -j ACCEPT

    # drop all INVALID connections
    -A INPUT -m state --state INVALID -j DROP
    -A FORWARD -m state --state INVALID -j DROP
    -A OUTPUT -m state --state INVALID -j DROP

    # allow all ESTABLISHED and RELATED
    -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

    # allow connections to DNS servers
    -A OUTPUT -d xxx.xxx.xxx.xxx -m state --state NEW -p udp --dport 53 -o eth0
    -j ACCEPT
    -A OUTPUT -d xxx.xxx.xxx.xxx -m state --state NEW -p udp --dport 53 -o eth0
    -j ACCEPT

    # allow connections to external NTP server
    -A OUTPUT -d xxx.xxx.xxx.xxx -p udp -m udp --sport 123 -j ACCEPT

    # allow connections via SSH
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

    # allow connections to Big Brother
    -A OUTPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 1984 -j ACCEPT
    -A OUTPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 1984 -j ACCEPT
    -A OUTPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 1984 -j ACCEPT

    # allow connections to the NetBackup servers
    -A INPUT -p tcp -m tcp -s xxx.xxx.xxx.xxx --dport 13720 -j ACCEPT
    -A INPUT -p tcp -m tcp -s xxx.xxx.xxx.xxx --dport 13721 -j ACCEPT
    -A INPUT -p tcp -m tcp -s xxx.xxx.xxx.xxx --dport 13722 -j ACCEPT
    -A INPUT -p tcp -m tcp -s xxx.xxx.xxx.xxx --dport 13724 -j ACCEPT
    -A INPUT -p tcp -m tcp -s xxx.xxx.xxx.xxx --dport 13782 -j ACCEPT
    -A OUTPUT -p tcp -m tcp -d xxx.xxx.xxx.xxx --dport 13720 -j ACCEPT
    -A OUTPUT -p tcp -m tcp -d xxx.xxx.xxx.xxx --dport 13721 -j ACCEPT
    -A OUTPUT -p tcp -m tcp -d xxx.xxx.xxx.xxx --dport 13722 -j ACCEPT
    -A OUTPUT -p tcp -m tcp -d xxx.xxx.xxx.xxx --dport 13724 -j ACCEPT
    -A OUTPUT -p tcp -m tcp -d xxx.xxx.xxx.xxx --dport 13782 -j ACCEPT

    # REJECT all ping requests except from specified hosts
    -A INPUT -p icmp -s xxx.xxx.xxx.xxx --icmp-type echo-request -j ACCEPT
    -A INPUT -p icmp -s xxx.xxx.xxx.xxx --icmp-type echo-request -j ACCEPT
    -A INPUT -p icmp -s xxx.xxx.xxx.xxx --icmp-type echo-request -j ACCEPT
    -A INPUT -p icmp -s xxx.xxx.xxx.xxx --icmp-type echo-request -j ACCEPT
    -A INPUT -p icmp -s xxx.xxx.xxx.xxx --icmp-type echo-request -j ACCEPT
    -A INPUT -j REJECT --reject-with icmp-host-prohibited

    # log all other attempted outgoing connections
    -A OUTPUT -o eth0 -j LOG
    # default behavior is to drop outgoing connections

    COMMIT

    We have specified no connectback in the client attributes and also specified
    reserved ports on the client and to use vnetd. What am I missing?


  2. Re: NetBackup and linux iptables firewall


    "Mike Evans" wrote:
    >
    >Can anyone give me an example of an iptables rule set that successfully

    allows
    >NetBackup through? This is what my current config looks like:
    >
    ># Firewall configuration
    ># Use this script for testing purposes
    >*filter
    >:INPUT DROP [0:0]
    >:FORWARD DROP [0:0]
    >:OUTPUT DROP [0:0]
    >
    ># allow local loopback connections
    >-A INPUT -i lo -j ACCEPT
    >
    ># drop all INVALID connections
    >-A INPUT -m state --state INVALID -j DROP
    >-A FORWARD -m state --state INVALID -j DROP
    >-A OUTPUT -m state --state INVALID -j DROP
    >
    ># allow all ESTABLISHED and RELATED
    >-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    >-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    >
    ># allow connections to DNS servers
    >-A OUTPUT -d xxx.xxx.xxx.xxx -m state --state NEW -p udp --dport 53 -o

    eth0
    >-j ACCEPT
    >-A OUTPUT -d xxx.xxx.xxx.xxx -m state --state NEW -p udp --dport 53 -o eth0
    >-j ACCEPT
    >
    ># allow connections to external NTP server
    >-A OUTPUT -d xxx.xxx.xxx.xxx -p udp -m udp --sport 123 -j ACCEPT
    >
    ># allow connections via SSH
    >-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
    >
    ># allow connections to Big Brother
    >-A OUTPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 1984 -j ACCEPT
    >-A OUTPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 1984 -j ACCEPT
    >-A OUTPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 1984 -j ACCEPT
    >
    ># allow connections to the NetBackup servers
    >-A INPUT -p tcp -m tcp -s xxx.xxx.xxx.xxx --dport 13720 -j ACCEPT
    >-A INPUT -p tcp -m tcp -s xxx.xxx.xxx.xxx --dport 13721 -j ACCEPT
    >-A INPUT -p tcp -m tcp -s xxx.xxx.xxx.xxx --dport 13722 -j ACCEPT
    >-A INPUT -p tcp -m tcp -s xxx.xxx.xxx.xxx --dport 13724 -j ACCEPT
    >-A INPUT -p tcp -m tcp -s xxx.xxx.xxx.xxx --dport 13782 -j ACCEPT
    >-A OUTPUT -p tcp -m tcp -d xxx.xxx.xxx.xxx --dport 13720 -j ACCEPT
    >-A OUTPUT -p tcp -m tcp -d xxx.xxx.xxx.xxx --dport 13721 -j ACCEPT
    >-A OUTPUT -p tcp -m tcp -d xxx.xxx.xxx.xxx --dport 13722 -j ACCEPT
    >-A OUTPUT -p tcp -m tcp -d xxx.xxx.xxx.xxx --dport 13724 -j ACCEPT
    >-A OUTPUT -p tcp -m tcp -d xxx.xxx.xxx.xxx --dport 13782 -j ACCEPT
    >
    ># REJECT all ping requests except from specified hosts
    >-A INPUT -p icmp -s xxx.xxx.xxx.xxx --icmp-type echo-request -j ACCEPT
    >-A INPUT -p icmp -s xxx.xxx.xxx.xxx --icmp-type echo-request -j ACCEPT
    >-A INPUT -p icmp -s xxx.xxx.xxx.xxx --icmp-type echo-request -j ACCEPT
    >-A INPUT -p icmp -s xxx.xxx.xxx.xxx --icmp-type echo-request -j ACCEPT
    >-A INPUT -p icmp -s xxx.xxx.xxx.xxx --icmp-type echo-request -j ACCEPT
    >-A INPUT -j REJECT --reject-with icmp-host-prohibited
    >
    ># log all other attempted outgoing connections
    >-A OUTPUT -o eth0 -j LOG
    ># default behavior is to drop outgoing connections
    >
    >COMMIT
    >
    >We have specified no connectback in the client attributes and also specified
    >reserved ports on the client and to use vnetd. What am I missing?
    >


    I resolved it

  3. Re: NetBackup and linux iptables firewall


    Mike,

    So how did youi resolve it? I am running into a similar issue here.

    Thanks
    Christopher

    "Mike Evans" wrote:
    >
    >"Mike Evans" wrote:
    >>
    >>Can anyone give me an example of an iptables rule set that successfully

    >allows
    >>NetBackup through? This is what my current config looks like:
    >>
    >># Firewall configuration
    >># Use this script for testing purposes
    >>*filter
    >>:INPUT DROP [0:0]
    >>:FORWARD DROP [0:0]
    >>:OUTPUT DROP [0:0]
    >>
    >># allow local loopback connections
    >>-A INPUT -i lo -j ACCEPT
    >>
    >># drop all INVALID connections
    >>-A INPUT -m state --state INVALID -j DROP
    >>-A FORWARD -m state --state INVALID -j DROP
    >>-A OUTPUT -m state --state INVALID -j DROP
    >>
    >># allow all ESTABLISHED and RELATED
    >>-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    >>-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    >>
    >># allow connections to DNS servers
    >>-A OUTPUT -d xxx.xxx.xxx.xxx -m state --state NEW -p udp --dport 53 -o

    >eth0
    >>-j ACCEPT
    >>-A OUTPUT -d xxx.xxx.xxx.xxx -m state --state NEW -p udp --dport 53 -o

    eth0
    >>-j ACCEPT
    >>
    >># allow connections to external NTP server
    >>-A OUTPUT -d xxx.xxx.xxx.xxx -p udp -m udp --sport 123 -j ACCEPT
    >>
    >># allow connections via SSH
    >>-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
    >>
    >># allow connections to Big Brother
    >>-A OUTPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 1984 -j ACCEPT
    >>-A OUTPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 1984 -j ACCEPT
    >>-A OUTPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 1984 -j ACCEPT
    >>
    >># allow connections to the NetBackup servers
    >>-A INPUT -p tcp -m tcp -s xxx.xxx.xxx.xxx --dport 13720 -j ACCEPT
    >>-A INPUT -p tcp -m tcp -s xxx.xxx.xxx.xxx --dport 13721 -j ACCEPT
    >>-A INPUT -p tcp -m tcp -s xxx.xxx.xxx.xxx --dport 13722 -j ACCEPT
    >>-A INPUT -p tcp -m tcp -s xxx.xxx.xxx.xxx --dport 13724 -j ACCEPT
    >>-A INPUT -p tcp -m tcp -s xxx.xxx.xxx.xxx --dport 13782 -j ACCEPT
    >>-A OUTPUT -p tcp -m tcp -d xxx.xxx.xxx.xxx --dport 13720 -j ACCEPT
    >>-A OUTPUT -p tcp -m tcp -d xxx.xxx.xxx.xxx --dport 13721 -j ACCEPT
    >>-A OUTPUT -p tcp -m tcp -d xxx.xxx.xxx.xxx --dport 13722 -j ACCEPT
    >>-A OUTPUT -p tcp -m tcp -d xxx.xxx.xxx.xxx --dport 13724 -j ACCEPT
    >>-A OUTPUT -p tcp -m tcp -d xxx.xxx.xxx.xxx --dport 13782 -j ACCEPT
    >>
    >># REJECT all ping requests except from specified hosts
    >>-A INPUT -p icmp -s xxx.xxx.xxx.xxx --icmp-type echo-request -j ACCEPT
    >>-A INPUT -p icmp -s xxx.xxx.xxx.xxx --icmp-type echo-request -j ACCEPT
    >>-A INPUT -p icmp -s xxx.xxx.xxx.xxx --icmp-type echo-request -j ACCEPT
    >>-A INPUT -p icmp -s xxx.xxx.xxx.xxx --icmp-type echo-request -j ACCEPT
    >>-A INPUT -p icmp -s xxx.xxx.xxx.xxx --icmp-type echo-request -j ACCEPT
    >>-A INPUT -j REJECT --reject-with icmp-host-prohibited
    >>
    >># log all other attempted outgoing connections
    >>-A OUTPUT -o eth0 -j LOG
    >># default behavior is to drop outgoing connections
    >>
    >>COMMIT
    >>
    >>We have specified no connectback in the client attributes and also specified
    >>reserved ports on the client and to use vnetd. What am I missing?
    >>

    >
    >I resolved it



+ Reply to Thread