This post is more than 5 years old
9 Posts
0
10363
Networker 7.6.3 client redhat firewall config
I'm having some problems setting up the legato networker client on RHEL 6.3, with the firewall off it works fine, but I can't get the rules to work to allow it to backup.
Can someone link me to a config that will allow the networker traffic both ways? I've endlessly searched but been unable to find an example firewall config.
Thanks
Rowan
The client I am running is lgtoclnt-7.6.3-1.x86_64.rpm my current firewall config is as follows;
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
:RH-Firewall-1-OUTPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A OUTPUT -j RH-Firewall-1-OUTPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Adding allow connections from the backup server
-A RH-Firewall-1-INPUT -s 10.0.0.111 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 514 -j ACCEPT
-A RH-Firewall-1-OUTPUT -o lo -j ACCEPT
-A RH-Firewall-1-OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#End of allow connections from the backup server
rowanr
9 Posts
0
November 2nd, 2012 01:00
Hi,
I’ve now got the firewall rules working on the backup client;
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT all -- backup server anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:shell
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain RH-Firewall-1-OUTPUT (1 references)
target prot opt source destination
ACCEPT all -- backupserver anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
The part of the firewall chain that I had got wrong was that the RELATED,ESTABLISHED rule, needs to be at the end of each chain.
Cheers for your help,
Rowan
Bebo2k
544 Posts
0
October 22nd, 2012 03:00
Hi rowanr,
Normally during the installation, the firewall exclusions are created for the NetWorker without any manual modifications needed, but anyway are you able to telnet from the backup server that client on port 7937 and 7938 ?
Use the command rpcinfo -p machinename in both ways, from backup server to the client and vice versa to check the communication between the hosts.
Hope this helps,
Ahmed Bahaa
rowanr
9 Posts
0
October 22nd, 2012 03:00
Hi Ahmed,
Thanks for your reply, I've had to drop the firewall for the moment to allow the backups to continue (so no point really running those tests). When I installed the rpm I didn't see any firewall rules being created (can you paste the default rules in the thread for me?), I had to allow everything from the backup server so that it could connect, but I think I have a problem with my output rule, as it didn't backup.
I was hoping someone could paste or link me to the correct working rules so that I can reuse them for my config.
Cheers,
Rowan
Bebo2k
544 Posts
0
October 23rd, 2012 05:00
Hi Rowan,
How is the rpcinfo command going after enabling the firewall on the client ? Are you able to telnet the ports i mentioned in two ways (backup server to client and vice versa ) ?
Thanks,
Ahmed Bahaa
rowanr
9 Posts
0
October 25th, 2012 04:00
Hi Ahmed,
I have amended the rules and run the rpcinfo command;
[root@backupclient ~]# rpcinfo -p backupserver
program vers proto port
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 32776 status
100024 1 tcp 32771 status
100133 1 udp 32776
100133 1 tcp 32771
100021 1 udp 4045 nlockmgr
100021 2 udp 4045 nlockmgr
100021 3 udp 4045 nlockmgr
100021 4 udp 4045 nlockmgr
1073741824 1 tcp 32772
100021 1 tcp 4045 nlockmgr
100021 2 tcp 4045 nlockmgr
100021 3 tcp 4045 nlockmgr
100021 4 tcp 4045 nlockmgr
300598 1 udp 32789
300598 1 tcp 32773
805306368 1 udp 32789
805306368 1 tcp 32773
100249 1 udp 32824
100249 1 tcp 32774
390436 1 tcp 9816
390435 1 tcp 9324
390113 1 tcp 7937 nsrexecd
390103 2 tcp 8968 nsrd
390109 2 tcp 8968 nsrstat
390110 1 tcp 8968 nsrjbd
390120 1 tcp 8968
390109 2 udp 8492 nsrstat
390107 5 tcp 8917 nsrmmdbd
390107 6 tcp 8917 nsrmmdbd
390105 5 tcp 9362 nsrindexd
390105 6 tcp 9362 nsrindexd
390430 1 tcp 9197 nsrmmgd
390104 1205 tcp 9154 nsrmmd
390104 2205 tcp 9532 nsrmmd
390402 1 tcp 9001
390104 3305 tcp 8575 nsrmmd
390104 3405 tcp 8558 nsrmmd
390104 3505 tcp 9309 nsrmmd
390104 3605 tcp 9291 nsrmmd
390104 3705 tcp 9274 nsrmmd
390104 3805 tcp 9257 nsrmmd
390104 3905 tcp 9239 nsrmmd
390104 4005 tcp 9222 nsrmmd
39010411005 tcp 9254 nsrmmd
390433 1 tcp 9593 nsrjobd
rowanr
9 Posts
0
October 25th, 2012 05:00
The backup server is not able to connect to the client;
backupserver:~# rpcinfo -p backupclient
^C
So it looks like a problem with the input rule....
Bebo2k
544 Posts
0
October 25th, 2012 14:00
Hi Rowanr,
Yes, the issue now seems to be in the direction from the backup server to the client. You have to check the inbound rules.
Waiting your updates.
Thanks,
Ahmed Bahaa
Bebo2k
544 Posts
0
October 28th, 2012 16:00
Hi rowanr,
How is the issue going ? Did you managed to solve the inbound rules ?
Waiting your updates,
Ahmed Bahaa
rowanr
9 Posts
0
October 29th, 2012 01:00
Hi,
I still need help with this, I'm wondering if I need to add NEW to the ESTABLISHED, RELATED command, it depends if the Networker client initiates a new connection once it is contacted by the backup server?
Thanks,
Rowan
ble1
14.3K Posts
1
November 1st, 2012 14:00
Long time ago, rule of thumb for Linux systems used to be: