From: srgqwerty <srgqwerty@telefonica.net>
To: netfilter_user <netfilter_user@o2.pl>
Cc: netfilter@lists.netfilter.org
Subject: Re: SNMP and IPTABLES
Date: Sat, 02 Aug 2003 21:36:57 -0100 [thread overview]
Message-ID: <3F2C3D09.10708@telefonica.net> (raw)
In-Reply-To: <1934869742.20030802113613@o2.pl>
netfilter_user wrote:
>hello everyone,
>
>This is my problem:
>
>As a gateway in my network is a PC with Linux ( Slackware 8.1 ), and
>also on this machine is installed MRTG that listen for SNMP. I want to use SNMP
>only in local ( internal ) network. I know that SNMP
>use 161 and 162 port. There are no problems with comunication between
>Linux machine and local hosts via SNMP.
>
>BUT: the problem is when MRTG try to receive SNMP information from this
>same machine that is installed ( MRTG is installed on Linux machine -
>gateway). I dont know why because i set: iptables -A INPUT -i eth1 -p tcp -m multiport --dport 21,80,161,3128 -j ACCEPT
> iptables -A INPUT -i eth1 -p udp -m multiport --dport 80,67,161 -j ACCEPT
> ...and it should resolve problem...but
> it wont
>
>!!!!!THIS IS IMPORTANT!!!!
>when I set all INPUT ACCETP then it works. So there is no problem with
>snmp and MRTG but with my iptables config :/
>
>
>I use:
>NET-SNMP version: 5.0.7
>iptables v1.2.6a
>
>This is my iptables config:
>
>
>insmod ip_conntrack
>insmod ip_conntrack_ftp
>
>iptables -P FORWARD DROP
>iptables -P INPUT DROP
>iptables -P OUTPUT ACCEPT
>
>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>iptables -A INPUT -p tcp -m multiport --dport 22 -j ACCEPT
>iptables -A INPUT -i eth1 -p tcp -m multiport --dport 21,80,161,3128 -j ACCEPT
>iptables -A INPUT -i eth1 -p udp -m multiport --dport 80,67,161 -j ACCEPT
>
>iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>iptables -A FORWARD -i eth1 -p tcp -m multiport --dport 21,22,25,110,1111,6112 -j ACCEPT
>iptables -A FORWARD -i eth1 -p udp -m multiport --dport 53,6112,13073,23083,23073 -j ACCEPT
>
>iptables -I INPUT -p icmp --icmp-type echo-request -s 0.0.0.0/0 -m limit --limit 1/s -j ACCEPT
>iptables -I INPUT -p icmp --icmp-type echo-request -s 0.0.0.0/0 -j DROP
>
>
>#===NAT=================================================================================
>modprobe iptable_nat
>iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
>echo 1 > /proc/sys/net/ipv4/ip_forward
>
>
>Will be thankful for any good advice
>
I think that you must accept incoming and outgoing traffic in the lo
(127.0.0.1) device:
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
next prev parent reply other threads:[~2003-08-02 22:36 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-08-02 9:36 SNMP and IPTABLES netfilter_user
2003-08-02 22:36 ` srgqwerty [this message]
-- strict thread matches above, loose matches on Subject: below --
2003-08-02 11:05 netfilter_user
2003-08-02 13:28 ` Chris Wilson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3F2C3D09.10708@telefonica.net \
--to=srgqwerty@telefonica.net \
--cc=netfilter@lists.netfilter.org \
--cc=netfilter_user@o2.pl \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.