Hello,
I have a similar installation (public ip are fake):
10.0.0.2 = bacula director + storage daemon
10.0.0.3 = client to backup
...
10.0.0.254 / 164.15.0.1 = NAT gateway
134.184.0.1 = client to backup
...
in the Storage resource on the director (10.0.0.2) I have the public IP
of the NAT gateway (164.15.0.1) :
Storage {
Name = tape-st
Address = 164.15.0.1
SDPort = 9103
Password = "xxx"
Device = "sony SDX-500C"
MediaType = AIT2
Autochanger = no
MaximumConcurrentJobs = 1
}
On the NAT gateway (10.0.0.254) I have the following rules:
Simple port forwarding :
$IPTABLES -t nat -A PREROUTING -p tcp -i $INTIF -s 10.0.0.$IP1 -d $EXTIP
--dport 9103 -j DNAT --to 10.0.0.2:9103
$IPTABLES -t nat -A PREROUTING -p tcp -i $INTIF -s 10.0.0.$IP2 -d $EXTIP
--dport 9103 -j DNAT --to 10.0.0.2:9103
(...)
This is the important rule (SNAT):
$IPTABLES -t nat -A POSTROUTING -p tcp -d 10.0.0.2 --dport 9103 -o
$INTIF -j SNAT --to $EXTIP
The following should be set too if -P FORWARD is DROP for example :
$IPTABLES -A FORWARD -i $EXTIF -s 134.184.0.1 -o $INTIF -d 10.0.0.2 -p
tcp --dport 9103 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
(...)
the routes are like this :
source internal : 10.0.0.x -> 164.15.0.1 -> 10.0.0.2 (port forwarding +
SNAT)
source external : 134.184.0.x -> 164.15.0.1 (port forwarding)
Hope it helps
Julien
Wilson, David wrote:
>
> Greetings,
>
> I am looking for a way to control backups for hosts located inside of
> a firewall. These hosts are on a private non-routable address space
> and NAT’d through a firewall.
>
> My director and storage daemon are located in my normal server space
> and have no problems backing up other hosts.
>
> I would like to know if there is a way to setup a host behind the
> firewall to kick of backups against my clients within this network and
> have them backup to my storage daemon located on the “public” side of
> the firewall. Ideally if there was a proxy bacula director with which
> I could place within this private space and only grant my director
> access to which then would kick off backups to hosts within the
> private network it would be perfect.
>
> Has anyone else run into an issue similar to this and how did they
> solve it. I do not want to open access from my director to each host
> behind the firewall, and I would like to use the same volumes I would
> normally use for backups.
>
> Thanks,
>
> **David Wilson***
> ***Network Security Engineer***
> **PAETEC Communications, Inc.**
> **Voice: (585) 340 8209**
> **Mobile****: (585) 259 0963***
>
> ------------------------------------------------------------------------
>
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Bacula-users mailing list
> Bacula-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bacula-users
>
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
