Find the answer to your Linux question:
Results 1 to 2 of 2
Hey all, Here's my current testing setup. I have two systems, both with a firewall (IPTables) and both are public. I have snmp running on both. To test SNMP connections, ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jan 2006
    Posts
    43

    Exclamation IPTables SNMP problems


    Hey all,

    Here's my current testing setup. I have two systems, both with a firewall (IPTables) and both are public. I have snmp running on both. To test SNMP connections, I run:

    Code:
    snmpwalk -Os -c public -v 1 domain.com system
    * domain.com being a real domain.

    However, we will call domain.com the box we want the snmpwalk to get information from, and domain2.com is the box that is trying to get the information (the one that issues the snmpwalk). I know my main issue is related to domain2.com's firewall, because when I turn the firewall on, the snmpwalk fails, however if I turn the firewall off on domain2.com, then the snmpwalk is successful.

    Here's domain2.com's firewall rules (from /etc/sysconfig/iptables):

    Code:
    *filter
    :OUTPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :FWALL-INPUT - [0:0]
    :INPUT DROP [0:0]
    -A INPUT -j FWALL-INPUT
    
    # internal interfaces
    -A FWALL-INPUT -i lo -j ACCEPT
    -A OUTPUT -o lo -j ACCEPT
    
    # ICMP Love
    -A FWALL-INPUT -p icmp -j ACCEPT
    -A FWALL-INPUT -p udp -m iprange --src-range 10.0.80.11-10.0.80.12 -m udp --spor                                                                             t 53 -m state --state ESTABLISHED -j ACCEPT
    
    # Web
    -A FWALL-INPUT -p tcp -m tcp --dport 80 -j ACCEPT
    -A FWALL-INPUT -p tcp -m tcp --dport 443 -j ACCEPT
    -A FWALL-INPUT -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
    
    # SNMP
    -A FWALL-INPUT -p udp -m udp -s 0/0 --dport 161:162 -j ACCEPT
    -A OUTPUT -p udp -s 0/0 --sport 161:162 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
    COMMIT
    Any help would be appriciated.

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Since you are allowing everything out, :OUTPUT ACCEPT [0:0] you just need to allow ESTABLISHED and RELATED connection back in

    -A FWALL-INPUT -m state --state ESTABLISHED -j ACCEPT

    Here is your rules cleaned up some what;

    *filter
    :INPUT DROP [0:0]
    :OUTPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]

    # internal interfaces
    -A INPUT -i lo -j ACCEPT
    -A INPUT -m state --state ESTABLISHED -j ACCEPT

    # ICMP Love
    -A INPUT -p icmp -j ACCEPT

    # Web
    -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

    # SNMP
    -A INPUT -p udp -m udp -s 0/0 --dport 161:162 -j ACCEPT

    # no longer needed as the above INPUT - ESTABLISHED catches this.
    #-A INPUT -p udp -m iprange --src-range 10.0.80.11-10.0.80.12 -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
    #-A FWALL-INPUT -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

    # These are no longer needed as you allow everything to leave by default above.
    #-A OUTPUT -o lo -j ACCEPT
    #-A OUTPUT -p udp -s 0/0 --sport 161:162 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •