iptables-rules should be

EDS_Stefan · ‎11-05-2009

Hi all,

i have a little problem with "a" firewall.

Following environment:
NetBackup Puredisk: 6.2.1.1
PDOS: 6.2.0.13

This installation is running well since over a year.
Now we had installed a software (Data Protector Advisor) to collect some informations about the registered agents, backup-status and so on. On an older PureDisk server that software works, also on a third newer instance. Only on this server we have problems.

Now i found out via yast, that "another firewall is already running".
Which other firewall? I have never installed a firewall on the server and i have never activate a firewall on that server.

Now my quesition: Is there a firewall installed with PD 6.2.x.x and how can i configure that firewall?

Regards ... Stefan

EDS_Stefan · ‎11-09-2009

Hi,
me again.

In the meantime i have found out, that i have to edit the file
/etc/puredisk/custom_iptables_rules

Always i'am running the command
sh /opt/pdconfigure/scripts/installers/ChangeIPTables.sh

after i have modified the table i get the message
Appending general rules
Appending SPA rules
Appending MBS rules
Appending MBE rules
Appending CTRL rules
Appending CR rules
Appending Custom rules
Illegal format!
WARNING: not all custom firewall rules could be configured. Check format of /etc/puredisk/custom_iptables_rules.
Finishing IP tables

What is wrong? i have insert the following line to the custom_iptables_rules
tcp IPADRESS 4001,3916
where IPADRESS is the IPADRESS of the server i want to reach from my PureDisk-Server.

David_Lombardi · ‎11-13-2009

According to the install documentation for PureDisk 6.5 there is a firewall for SUSE and one for PureDisk.

During the install, you are supposed to deactivate the SUSE firewall via YaST and then let PureDisk enable it's own firewall.

I believe you can do this after the fact via YaST but I am curious what happens as we are about to install DPA for reporting in our environment as well.

Harish55 · ‎11-20-2009

iptables-rules
should be like this

:INPUT ACCEPT [2:250]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5467969:2249385180]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 13724 -j ACCEPT
-A INPUT -p udp -m udp --dport 13724 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 13782 -j ACCEPT
-A INPUT -p udp -m udp --dport 13782 -j ACCEPT
-A INPUT -p udp -m udp --dport 4145 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 14141 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 14144 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3260 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p udp -m udp --dport 10087 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2821 -j ACCEPT
-A INPUT -p udp -m udp --dport 2821 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1556 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p udp -m udp --dport 1556 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --dport 123 -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8443 -j ACCEPT
-A INPUT -s 10.209.6.194 -p tcp -m tcp --dport 10085 -j ACCEPT ( give the ip address of yr m/c )
-A INPUT -p tcp -m tcp --dport 10101 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10082 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j DROP
COMMIT
# Completed on Fri Nov 20 16:15:02 2009
# Generated by iptables-save v1.3.5 on Fri Nov 20 16:15:02 2009
*nat
:PREROUTING ACCEPT [379745:72435200]
:POSTROUTING ACCEPT [173702:10432645]
:OUTPUT ACCEPT [177313:10649305]
-A POSTROUTING -s ! 127.0.0.0/255.0.0.0 -p tcp -m tcp --dport 10085 -j SNAT --to-source 10.209.6.194
COMMIT
# Completed on Fri Nov 20 16:15:02 2009
# Generated by iptables-save v1.3.5 on Fri Nov 20 16:15:02 2009
*nat
:PREROUTING ACCEPT [379745:72435200]
:POSTROUTING ACCEPT [173702:10432645]
:OUTPUT ACCEPT [177313:10649305]
-A POSTROUTING -s ! 127.0.0.0/255.0.0.0 -p tcp -m tcp --dport 10085 -j SNAT --to-source 10.209.6.194 ( give ip address of yr system
COMMIT
# Completed on Fri Nov 20 16:15:02 2009

VOX

PDOS and internal firewall?