Re: nat friendly?

Mon, 28 Oct 2002 12:17:55 -0800 

That would only allow connections back in, but that
assumes they can get back in....which I don't think
they can given the NAT situation.  Let me clarify:

Tape Server
10.100.100.x
     |
firewall
nat all lab stuff out to public ip 9.x.x.x
     |
Client to backup
Sees tape server as nated 9.x.x.x

The problem is if amanda tries to open a second
connection, it will try to hit the nat, which is the
firewall, not the box makikng the connection. 
Connection tracker would only allow the connection
back into the firewall, which doesn't help since that
is not the place where it should end up.  So the real
question is if amanda opens another connection or does
everything as part of the same connection.

Does anyone have this setup?

--- Galen Johnson <[EMAIL PROTECTED]> wrote:
> Jerry wrote:
> 
> >Is amanda NAT friendly?
> >
> >i.e. I have a tape server with a private ip address
> >(10.100.100.x) and I want to backup a server
> outside
> >of that space with a public ip.  When the server
> >contacts the system with the public ip it gets
> nat'ed
> >to a different ip.
> >
> >What I need to know is if everything occurs over
> the
> >one connection to amanda or if the client needs to
> >make a connection back (which, in this case, would
> >fail because it would be trying to contact the nat
> >address and would fail.
> >
> >Jerry
> >
> >__________________________________________________
> >Do you Yahoo!?
> >Y! Web Hosting - Let the expert host your web site
> >http://webhosting.yahoo.com/
> >  
> >
> if you are using linux and iptables, you probably
> need a line similar to 
> the following after making sure you have the
> conntrack module loaded or 
> built-in:
> 
> $IPT -A INPUT -p ALL -i $INET_IFACE -m state --state
> ESTABLISHED,RELATED 
> -j ACCEPT
> $IPT -A FORWARD -i $INET_IFACE -m state --state
> ESTABLISHED,RELATED -j 
> ACCEPT
> 
> where $IPT is your iptables command (usually
> /usr/sbin/iptables) and 
> $INET_IFACE is your internet interface.
> 
> This should keep track of the packets that go out
> and allow them back in.
> 
> =G=
> 


__________________________________________________
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
http://webhosting.yahoo.com/

Reply via email to