[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] RE: Raq3 Mysterious Death & Backup Mystery

Subject: [cobalt-users] RE: Raq3 Mysterious Death & Backup Mystery
From: Chae <chae@xxxxxxxxxxxx>
Date: Tue Oct 8 02:38:03 2002
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

Hi Yah,

Well the bad news is that the suggestion that Gerald offered didn't work :(

Gerald replied with:

# Allow packets with ack bit set, their from an established connection.
/sbin/ipchains -A input ! -y -p tcp -s 0/0 -d 0/0 -j ACCEPT

Tonight raqbackup did it's thing and this time I was lucky to even transfer5 files ....

*******************************************************************************

21:05:00 > Deleting old logfiles... ok
21:05:00 > Deleting cmu.log to have a fresh one... ok
21:05:00 > Starting cmuExport... ok
21:34:57 > Finished! We exported 164 vsites, 210 users, 3 lists
******************************** more details *********************************
Rest of logs file with backup files listing...

*******************************************************************************

21:34:58 > Starting to tar xml-files... ok
21:35:03 > Deleting xml-files... ok
21:35:04 > Starting to dump MySQL-databases... ok
21:35:04 > Starting to tar ns.XXXXXXXXXX.com.mysqldump.sql... ok
21:35:05 > Deleting ns.XXXXXXXXXX.com.mysqldump.sql... ok
21:35:05 > Starting to tar addidtional dir(s)... ok
21:35:46 > Size of backup (MB): 551 /home/raqbackup/data

Rest of logs file with backup files listing...

*******************************************************************************

21:35:46 > Testing connection to backupserver IP... ok
21:35:47 > Transferring backup to backupserver IP... ok
21:49:03 > Getting listing from backupserver IP... ok

******************************** more details*********************************

Connected to backupserver IP.
220 ProFTPD 1.2.4 Server (ProFTPD) [backupserver IP]
331 Password required for XXXXXXXXXX.
230 User XXXXXXXXXX logged in.
250 CWD command successful.
200 PORT command successful.
150 Opening ASCII mode data connection for file list.

-rw-r--r-- 1 150 112 869458 Oct 8 04:35groups-ns.XXXXXXXXXXXXXXX.com-private.tar.gz-rw-r--r-- 1 150 112 1568726 Oct 8 04:35groups-ns.XXXXXXXXXXXXXXXX.com-public.tar.gz

-rw-r--r-- 1 150 112 1235 Oct 8 04:35 groups-www.XXXXX.com-private.tar.gz
-rw-r--r-- 1 150 112 0 Oct 8 04:35 groups-www.XXXXX.com-public.tar.gz
226 Transfer complete.
221 Goodbye.

*******************************************************************************

21:49:04 > Deleting backup on ns.XXXXXXXXXX.com... ok
21:49:30 > raqbackup.sh 3.1 finished!

My Logs came through about 10 minutes later and it still shows thefollowing...so my backup server is still having packets dropped which meansthe files aren't getting transferred over to the backup server.

Oct 8 21:35:54 ns kernel: Packet log: input DENY eth0 PROTO=6backup-server-ip:20 my-server-ip:1080 L=60 S=0x00 I=29985 F=0x4000 T=64 SYN(#38)Oct 8 21:35:57 ns kernel: Packet log: input DENY eth0 PROTO=6backup-server-ip:20 my-server-ip:1080 L=60 S=0x00 I=29987 F=0x4000 T=64 SYN(#38)Oct 8 21:36:03 ns kernel: Packet log: input DENY eth0 PROTO=6backup-server-ip:20 my-server-ip:1080 L=60 S=0x00 I=29988 F=0x4000 T=64 SYN(#38)Oct 8 21:36:15 ns kernel: Packet log: input DENY eth0 PROTO=6backup-server-ip:20 my-server-ip:1080 L=60 S=0x00 I=29989 F=0x4000 T=64 SYN(#38)Oct 8 21:36:39 ns kernel: Packet log: input DENY eth0 PROTO=6backup-server-ip:20 my-server-ip:1080 L=60 S=0x00 I=30021 F=0x4000 T=64 SYN(#38)Oct 8 21:37:27 ns kernel: Packet log: input DENY eth0 PROTO=6backup-server-ip:20 my-server-ip:1080 L=60 S=0x00 I=30025 F=0x4000 T=64 SYN(#38)Oct 8 21:39:03 ns kernel: Packet log: input DENY eth0 PROTO=6backup-server-ip:20 my-server-ip:1080 L=60 S=0x00 I=30026 F=0x4000 T=64 SYN(#38)Oct 8 21:41:03 ns kernel: Packet log: input DENY eth0 PROTO=6backup-server-ip:20 my-server-ip:1080 L=60 S=0x00 I=30027 F=0x4000 T=64 SYN(#38)Oct 8 21:43:03 ns kernel: Packet log: input DENY eth0 PROTO=6backup-server-ip:20 my-server-ip:1080 L=60 S=0x00 I=30028 F=0x4000 T=64 SYN(#38)Oct 8 21:45:03 ns kernel: Packet log: input DENY eth0 PROTO=6backup-server-ip:20 my-server-ip:1080 L=60 S=0x00 I=30081 F=0x4000 T=64 SYN(#38)Oct 8 21:47:03 ns kernel: Packet log: input DENY eth0 PROTO=6backup-server-ip:20 my-server-ip:1080 L=60 S=0x00 I=30113 F=0x4000 T=64 SYN(#38)Oct 8 21:49:03 ns kernel: Packet log: input DENY eth0 PROTO=6backup-server-ip:20 my-server-ip:1080 L=60 S=0x00 I=30114 F=0x4000 T=64 SYN(#38)


Here's a snippet from my IPChains Rules

/sbin/ipchains -F
/sbin/ipchains -X

/sbin/ipchains -P input DENY
/sbin/ipchains -P forward DENY
/sbin/ipchains -P output REJECT

/sbin/ipchains -A input -i lo -j ACCEPT
/sbin/ipchains -A input -s 10.0.0.0/255.0.0.0 -j DENY
/sbin/ipchains -A input -s 172.16.0.0/255.240.0.0 -j DENY
/sbin/ipchains -A input -s 192.168.0.0/255.255.0.0 -j DENY
/sbin/ipchains -A input -s 255.255.255.255/255.255.255.255 -j DENY
/sbin/ipchains -A input -d 0.0.0.0/255.255.255.255 -j DENY
/sbin/ipchains -A input -s 224.0.0.0/240.0.0.0 -j DENY
/sbin/ipchains -A input -s 240.0.0.0/248.0.0.0 -j DENY
/sbin/ipchains -A input -s 0.0.0.0/255.0.0.0 -j DENY
/sbin/ipchains -A input -s 127.0.0.0/255.0.0.0 -j DENY
/sbin/ipchains -A input -s 169.254.0.0/255.255.0.0 -j DENY
/sbin/ipchains -A input -s 192.0.2.0/255.255.255.0 -j DENY
/sbin/ipchains -A input -s 224.0.0.0/224.0.0.0 -j DENY
/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 2049 -i eth0 -y -l -p tcp -j DENY
/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 2000 -i eth0 -y -l -p tcp -j DENY

/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 6000:6063 -i eth0 -y -l -p tcp-j DENY

/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 1080 -i eth0 -y -l -p tcp -j DENY
/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 2049 -i eth0 -l -p udp -j DENY

/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 32769:65535 -d 0.0.0.0/0.0.0.033434:33523 -i eth0 -l -p udp -j DENY/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 1024:65535 -d 0.0.0.0/0.0.0.0 53-i eth0 -p udp -j ACCEPT/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 53 -d 0.0.0.0/0.0.0.0 53 -i eth0-p udp -j ACCEPT/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 53 -d 0.0.0.0/0.0.0.0 1024:65535-i eth0 -p udp -j ACCEPT/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 53 -d 0.0.0.0/0.0.0.0 1024:65535-i eth0 ! -y -p tcp -j ACCEPT/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 1024:65535 -d 0.0.0.0/0.0.0.0 80-i eth0 -p tcp -j ACCEPT/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 80 -d 0.0.0.0/0.0.0.0 1024:65535-i eth0 ! -y -p tcp -j ACCEPT/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 1024:65535 -d 0.0.0.0/0.0.0.0 81-i eth0 -p tcp -j ACCEPT/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 1024:65535 -d 0.0.0.0/0.0.0.0443 -i eth0 -p tcp -j ACCEPT/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 443 -d 0.0.0.0/0.0.0.01024:65535 -i eth0 ! -y -p tcp -j ACCEPT/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 1024:65535 -d 0.0.0.0/0.0.0.0110 -i eth0 -p tcp -j ACCEPT/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 1024:65535 -d 0.0.0.0/0.0.0.0 25-i eth0 -p tcp -j ACCEPT/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 25 -d 0.0.0.0/0.0.0.0 1024:65535-i eth0 ! -y -p tcp -j ACCEPT/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 513:65535 -d 0.0.0.0/0.0.0.0 22-i eth0 -p tcp -j ACCEPT/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 22 -d 0.0.0.0/0.0.0.0 1022:65535-i eth0 ! -y -p tcp -j ACCEPT/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 513:65535 -d 0.0.0.0/0.0.0.0 26-i eth0 -p tcp -j ACCEPT/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 1024:65535 -d 0.0.0.0/0.0.0.0113 -i eth0 -p tcp -j ACCEPT/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 113 -d 0.0.0.0/0.0.0.01024:65535 -i eth0 ! -y -p tcp -j ACCEPT/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 1024:65535 -d 0.0.0.0/0.0.0.0 21-i eth0 -p tcp -j ACCEPT/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 1024:65535 -d 0.0.0.0/0.0.0.0 20-i eth0 ! -y -p tcp -j ACCEPT/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 1024:65535 -d 0.0.0.0/0.0.0.01024:65535 -i eth0 -p tcp -j ACCEPT/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 21 -d 0.0.0.0/0.0.0.0 1024:65535-i eth0 ! -y -p tcp -j ACCEPT/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 20 -d 0.0.0.0/0.0.0.0 1024:65535-i eth0 -p tcp -j ACCEPT/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 1024:65535 -d 0.0.0.0/0.0.0.01024:65535 -i eth0 ! -y -p tcp -j ACCEPT

# Allow packets with ack bit set, from an established connection - forbackup server.

/sbin/ipchains -A input ! -y -p tcp -s 0/0 -d 0/0 -j ACCEPT

#Rules added for NTP Updates

/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 123 -d 0.0.0.0/0.0.0.0 123 -ieth0 -p udp -j ACCEPT/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 1024:65535 -d 0.0.0.0/0.0.0.0123 -i eth0 -p udp -j ACCEPT/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 123 -d 0.0.0.0/0.0.0.01024:65535 -i eth0 -p udp -j ACCEPT/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 123 -d 0.0.0.0/0.0.0.0 123 -ieth0 -p udp -j ACCEPT/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 123 -d 0.0.0.0/0.0.0.01024:65535 -i eth0 -p udp -j ACCEPT/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 1024:65535 -d 0.0.0.0/0.0.0.0123 -i eth0 -p udp -j ACCEPT


#Continue Normal Rules
/sbin/ipchains -A input -i eth0 -p icmp --icmp-type echo-reply -j ACCEPT

/sbin/ipchains -A input -i eth0 -p icmp --icmp-type destination-unreachable-j ACCEPT

/sbin/ipchains -A input -i eth0 -p icmp --icmp-type source-quench -j ACCEPT
/sbin/ipchains -A input -i eth0 -p icmp --icmp-type time-exceeded -j ACCEPT
/sbin/ipchains -A input -i eth0 -p icmp --icmp-type parameter-problem -j ACCEPT
/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 0:19 -i eth0 -l -p tcp -j DENY
/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 24 -i eth0 -l -p tcp -j DENY
/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 37 -i eth0 -p tcp -j DENY
/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 37 -i eth0 -p udp -j DENY
/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 26:78 -i eth0 -l -p tcp -j DENY
/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 81:109 -i eth0 -l -p tcp -j DENY
/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 112 -i eth0 -l -p tcp -j DENY
/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 114:136 -i eth0 -l -p tcp -j DENY
/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 135:139 -i eth0 -p tcp -j DENY
/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 135:139 -i eth0 -p udp -j DENY
/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 137:138 -i eth0 -p tcp -j DENY
/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 137:138 -i eth0 -p udp -j DENY
/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 140:142 -i eth0 -l -p tcp -j DENY
/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 144:442 -i eth0 -l -p tcp -j DENY
/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 444:1023 -i eth0 -l -p tcp -j DENY
/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 0:110 -i eth0 -l -p udp -j DENY
/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 112:160 -i eth0 -l -p udp -j DENY
/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 163:634 -i eth0 -l -p udp -j DENY
/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 636:1023 -i eth0 -l -p udp -j DENY
/sbin/ipchains -A input -d 0.0.0.0/0.0.0.0 1024:65535 -i eth0 -l -p udp -j DENY
/sbin/ipchains -A input -i eth0 -l -p icmp --icmp-type redirect -j DENY
/sbin/ipchains -A input -s 0.0.0.0/0.0.0.0 13:255 -i eth0 -l -p icmp -j DENY
/sbin/ipchains -A output -i lo -j ACCEPT
/sbin/ipchains -A output -d 0.0.0.0/0.0.0.0 2049 -i eth0 -y -p tcp -j REJECT
/sbin/ipchains -A output -d 0.0.0.0/0.0.0.0 2000 -i eth0 -y -p tcp -j REJECT

/sbin/ipchains -A output -d 0.0.0.0/0.0.0.0 6000:6063 -i eth0 -y -p tcp -jREJECT

/sbin/ipchains -A output -d 0.0.0.0/0.0.0.0 1080 -i eth0 -y -p tcp -j REJECT

/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 53 -d 0.0.0.0/0.0.0.01024:65535 -i eth0 -p udp -j ACCEPT/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 53 -d 0.0.0.0/0.0.0.0 53 -ieth0 -p udp -j ACCEPT/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 1024:65535 -d 0.0.0.0/0.0.0.053 -i eth0 -p udp -j ACCEPT/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 1024:65535 -d 0.0.0.0/0.0.0.053 -i eth0 -p tcp -j ACCEPT/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 80 -d 0.0.0.0/0.0.0.01024:65535 -i eth0 ! -y -p tcp -j ACCEPT/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 1024:65535 -d 0.0.0.0/0.0.0.080 -i eth0 -p tcp -j ACCEPT/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 81 -d 0.0.0.0/0.0.0.01024:65535 -i eth0 ! -y -p tcp -j ACCEPT/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 443 -d 0.0.0.0/0.0.0.01024:65535 -i eth0 ! -y -p tcp -j ACCEPT/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 1024:65535 -d 0.0.0.0/0.0.0.0443 -i eth0 -p tcp -j ACCEPT/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 110 -d 0.0.0.0/0.0.0.01024:65535 -i eth0 ! -y -p tcp -j ACCEPT/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 25 -d 0.0.0.0/0.0.0.01024:65535 -i eth0 ! -y -p tcp -j ACCEPT/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 1024:65535 -d 0.0.0.0/0.0.0.025 -i eth0 -p tcp -j ACCEPT/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 22 -d 0.0.0.0/0.0.0.0 513:65535-i eth0 ! -y -p tcp -j ACCEPT/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 1022:65535 -d 0.0.0.0/0.0.0.022 -i eth0 -p tcp -j ACCEPT/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 1022:65535 -d 0.0.0.0/0.0.0.026 -i eth0 -p tcp -j ACCEPT/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 113 -d 0.0.0.0/0.0.0.01024:65535 -i eth0 ! -y -p tcp -j ACCEPT/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 1024:65535 -d 0.0.0.0/0.0.0.0113 -i eth0 -p tcp -j ACCEPT/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 21 -d 0.0.0.0/0.0.0.01024:65535 -i eth0 ! -y -p tcp -j ACCEPT/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 20 -d 0.0.0.0/0.0.0.01024:65535 -i eth0 -p tcp -j ACCEPT/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 1024:65535 -d 0.0.0.0/0.0.0.01024:65535 -i eth0 ! -y -p tcp -j ACCEPT/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 1024:65535 -d 0.0.0.0/0.0.0.021 -i eth0 -p tcp -j ACCEPT/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 1024:65535 -d 0.0.0.0/0.0.0.020 -i eth0 ! -y -p tcp -j ACCEPT/sbin/ipchains -A output -s 0.0.0.0/0.0.0.0 1024:65535 -d 0.0.0.0/0.0.0.01024:65535 -i eth0 -p tcp -j ACCEPT/sbin/ipchains -A output -i eth0 -p icmp --icmp-type fragmentation-needed-j ACCEPT

/sbin/ipchains -A output -i eth0 -p icmp --icmp-type source-quench -j ACCEPT
/sbin/ipchains -A output -i eth0 -p icmp --icmp-type echo-request -j ACCEPT

/sbin/ipchains -A output -i eth0 -p icmp --icmp-type parameter-problem -jACCEPT

/sbin/ipchains -A output -i eth0 -j REJECT

Can anyone suggest how I can stop IPChains from dropping packets, so that Ican get my backups over onto the backup serverEven jumped into portsentry and modified the portsentry.ignore file so thatit included my backup server IP.So now the host.allow includes in.proftpd - backupserver.IP,portsentry.ignore has the backup server IP and IPChains has the modsuggested by Gerald. But still the IP is being dropped :(


Regards

Chae

Prev by Date: RE: [cobalt-users] Fwd: Cron <root@www> /sbin/service ipchains restart >/dev/null
Next by Date: [cobalt-users] Address already in use (logfile messages ?)
Previous by thread: Re: [cobalt-users] RE: Raq3 Mysterious Death & Backup Mystery
Next by thread: [cobalt-users] RE: Raq3 Mysterious Death & Backup Mystery

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index