Re: nat friendly?

[Galen Johnson]

If you are indeed using iptables, look into the DNAT and SNAT components...they are very useful for what you want to do. Amanda has a more or less (if compiled that way) set range of ports used that is fairly well documented. Used in conjunction with *NAT options it should allow you to do what you want. Also, some firewalls will allow you to do the same thing (port forwarding).

I personally use several machines behind a firewall and the connection tracking seems to work ok. Granted I haven't tried it with amanda since the machines I want to backup are behind the firewall. However, DNAT/SNAT works ok for webservers and mailservers behind the firewall so I see no reason it should be different for amanda. (let me reitereate that I use a linux based firewall solution.)

=G=

Jerry wrote:

That would only allow connections back in, but that
assumes they can get back in....which I don't think
they can given the NAT situation. Let me clarify:

Tape Server
10.100.100.x
|
firewall
nat all lab stuff out to public ip 9.x.x.x
|
Client to backup
Sees tape server as nated 9.x.x.x

The problem is if amanda tries to open a second
connection, it will try to hit the nat, which is the
firewall, not the box makikng the connection. Connection tracker would only allow the connection
back into the firewall, which doesn't help since that
is not the place where it should end up. So the real
question is if amanda opens another connection or does
everything as part of the same connection.

Does anyone have this setup?

--- Galen Johnson <[EMAIL PROTECTED]> wrote:

Jerry wrote:

Is amanda NAT friendly?

i.e. I have a tape server with a private ip address
(10.100.100.x) and I want to backup a server

outside

of that space with a public ip. When the server
contacts the system with the public ip it gets

nat'ed

to a different ip.

What I need to know is if everything occurs over

the

one connection to amanda or if the client needs to
make a connection back (which, in this case, would
fail because it would be trying to contact the nat
address and would fail.

Jerry

__________________________________________________
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
http://webhosting.yahoo.com/

if you are using linux and iptables, you probably
need a line similar to the following after making sure you have the
conntrack module loaded or built-in:

$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $INET_IFACE -m state --state
ESTABLISHED,RELATED -j ACCEPT

where $IPT is your iptables command (usually
/usr/sbin/iptables) and $INET_IFACE is your internet interface.

This should keep track of the packets that go out
and allow them back in.

=G=

__________________________________________________
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
http://webhosting.yahoo.com/