"Mike Evans" wrote:
>
>Can anyone give me an example of an iptables rule set that successfully
allows
>NetBackup through? This is what my current config looks like:
>
># Firewall configuration
># Use this script for testing purposes
>*filter
>:INPUT DROP [0:0]
>:FORWARD DROP [0:0]
>:OUTPUT DROP [0:0]
>
># allow local loopback connections
>-A INPUT -i lo -j ACCEPT
>
># drop all INVALID connections
>-A INPUT -m state --state INVALID -j DROP
>-A FORWARD -m state --state INVALID -j DROP
>-A OUTPUT -m state --state INVALID -j DROP
>
># allow all ESTABLISHED and RELATED
>-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
># allow connections to DNS servers
>-A OUTPUT -d xxx.xxx.xxx.xxx -m state --state NEW -p udp --dport 53 -o
eth0
>-j ACCEPT
>-A OUTPUT -d xxx.xxx.xxx.xxx -m state --state NEW -p udp --dport 53 -o eth0
>-j ACCEPT
>
># allow connections to external NTP server
>-A OUTPUT -d xxx.xxx.xxx.xxx -p udp -m udp --sport 123 -j ACCEPT
>
># allow connections via SSH
>-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
>
># allow connections to Big Brother
>-A OUTPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 1984 -j ACCEPT
>-A OUTPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 1984 -j ACCEPT
>-A OUTPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 1984 -j ACCEPT
>
># allow connections to the NetBackup servers
>-A INPUT -p tcp -m tcp -s xxx.xxx.xxx.xxx --dport 13720 -j ACCEPT
>-A INPUT -p tcp -m tcp -s xxx.xxx.xxx.xxx --dport 13721 -j ACCEPT
>-A INPUT -p tcp -m tcp -s xxx.xxx.xxx.xxx --dport 13722 -j ACCEPT
>-A INPUT -p tcp -m tcp -s xxx.xxx.xxx.xxx --dport 13724 -j ACCEPT
>-A INPUT -p tcp -m tcp -s xxx.xxx.xxx.xxx --dport 13782 -j ACCEPT
>-A OUTPUT -p tcp -m tcp -d xxx.xxx.xxx.xxx --dport 13720 -j ACCEPT
>-A OUTPUT -p tcp -m tcp -d xxx.xxx.xxx.xxx --dport 13721 -j ACCEPT
>-A OUTPUT -p tcp -m tcp -d xxx.xxx.xxx.xxx --dport 13722 -j ACCEPT
>-A OUTPUT -p tcp -m tcp -d xxx.xxx.xxx.xxx --dport 13724 -j ACCEPT
>-A OUTPUT -p tcp -m tcp -d xxx.xxx.xxx.xxx --dport 13782 -j ACCEPT
>
># REJECT all ping requests except from specified hosts
>-A INPUT -p icmp -s xxx.xxx.xxx.xxx --icmp-type echo-request -j ACCEPT
>-A INPUT -p icmp -s xxx.xxx.xxx.xxx --icmp-type echo-request -j ACCEPT
>-A INPUT -p icmp -s xxx.xxx.xxx.xxx --icmp-type echo-request -j ACCEPT
>-A INPUT -p icmp -s xxx.xxx.xxx.xxx --icmp-type echo-request -j ACCEPT
>-A INPUT -p icmp -s xxx.xxx.xxx.xxx --icmp-type echo-request -j ACCEPT
>-A INPUT -j REJECT --reject-with icmp-host-prohibited
>
># log all other attempted outgoing connections
>-A OUTPUT -o eth0 -j LOG
># default behavior is to drop outgoing connections
>
>COMMIT
>
>We have specified no connectback in the client attributes and also specified
>reserved ports on the client and to use vnetd. What am I missing?
>

I resolved it

Mike,

So how did youi resolve it? I am running into a similar issue here.

Thanks
Christopher

"Mike Evans" wrote:
>
>"Mike Evans" wrote:
>>
>>Can anyone give me an example of an iptables rule set that successfully
>allows
>>NetBackup through? This is what my current config looks like:
>>
>># Firewall configuration
>># Use this script for testing purposes
>>*filter
>>:INPUT DROP [0:0]
>>:FORWARD DROP [0:0]
>>:OUTPUT DROP [0:0]
>>
>># allow local loopback connections
>>-A INPUT -i lo -j ACCEPT
>>
>># drop all INVALID connections
>>-A INPUT -m state --state INVALID -j DROP
>>-A FORWARD -m state --state INVALID -j DROP
>>-A OUTPUT -m state --state INVALID -j DROP
>>
>># allow all ESTABLISHED and RELATED
>>-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>
>># allow connections to DNS servers
>>-A OUTPUT -d xxx.xxx.xxx.xxx -m state --state NEW -p udp --dport 53 -o
>eth0
>>-j ACCEPT
>>-A OUTPUT -d xxx.xxx.xxx.xxx -m state --state NEW -p udp --dport 53 -o
eth0
>>-j ACCEPT
>>
>># allow connections to external NTP server
>>-A OUTPUT -d xxx.xxx.xxx.xxx -p udp -m udp --sport 123 -j ACCEPT
>>
>># allow connections via SSH
>>-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
>>
>># allow connections to Big Brother
>>-A OUTPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 1984 -j ACCEPT
>>-A OUTPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 1984 -j ACCEPT
>>-A OUTPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 1984 -j ACCEPT
>>
>># allow connections to the NetBackup servers
>>-A INPUT -p tcp -m tcp -s xxx.xxx.xxx.xxx --dport 13720 -j ACCEPT
>>-A INPUT -p tcp -m tcp -s xxx.xxx.xxx.xxx --dport 13721 -j ACCEPT
>>-A INPUT -p tcp -m tcp -s xxx.xxx.xxx.xxx --dport 13722 -j ACCEPT
>>-A INPUT -p tcp -m tcp -s xxx.xxx.xxx.xxx --dport 13724 -j ACCEPT
>>-A INPUT -p tcp -m tcp -s xxx.xxx.xxx.xxx --dport 13782 -j ACCEPT
>>-A OUTPUT -p tcp -m tcp -d xxx.xxx.xxx.xxx --dport 13720 -j ACCEPT
>>-A OUTPUT -p tcp -m tcp -d xxx.xxx.xxx.xxx --dport 13721 -j ACCEPT
>>-A OUTPUT -p tcp -m tcp -d xxx.xxx.xxx.xxx --dport 13722 -j ACCEPT
>>-A OUTPUT -p tcp -m tcp -d xxx.xxx.xxx.xxx --dport 13724 -j ACCEPT
>>-A OUTPUT -p tcp -m tcp -d xxx.xxx.xxx.xxx --dport 13782 -j ACCEPT
>>
>># REJECT all ping requests except from specified hosts
>>-A INPUT -p icmp -s xxx.xxx.xxx.xxx --icmp-type echo-request -j ACCEPT
>>-A INPUT -p icmp -s xxx.xxx.xxx.xxx --icmp-type echo-request -j ACCEPT
>>-A INPUT -p icmp -s xxx.xxx.xxx.xxx --icmp-type echo-request -j ACCEPT
>>-A INPUT -p icmp -s xxx.xxx.xxx.xxx --icmp-type echo-request -j ACCEPT
>>-A INPUT -p icmp -s xxx.xxx.xxx.xxx --icmp-type echo-request -j ACCEPT
>>-A INPUT -j REJECT --reject-with icmp-host-prohibited
>>
>># log all other attempted outgoing connections
>>-A OUTPUT -o eth0 -j LOG
>># default behavior is to drop outgoing connections
>>
>>COMMIT
>>
>>We have specified no connectback in the client attributes and also specified
>>reserved ports on the client and to use vnetd. What am I missing?
>>
>
>I resolved it