SNMP and IPTABLES

Linux Netfilter discussions
 help / color / mirror / Atom feed

* SNMP and IPTABLES
@ 2003-08-02  9:36 netfilter_user
  2003-08-02 22:36 ` srgqwerty
  0 siblings, 1 reply; 4+ messages in thread
From: netfilter_user @ 2003-08-02  9:36 UTC (permalink / raw)
  To: netfilter

hello everyone,

This is my problem:

As a gateway in my network is a PC with Linux ( Slackware 8.1 ), and
also on this machine is installed MRTG that listen for SNMP. I want to use SNMP
only in local ( internal ) network. I know that SNMP
use 161 and 162 port. There are no problems with comunication between
Linux machine and local hosts via SNMP.

BUT: the problem is when MRTG try to receive SNMP information from this
same machine that is installed ( MRTG is installed on Linux machine -
gateway). I dont know why because i set: iptables -A INPUT -i eth1 -p tcp -m multiport --dport 21,80,161,3128 -j ACCEPT
                                         iptables -A INPUT -i eth1 -p udp -m multiport --dport 80,67,161 -j ACCEPT
                              ...and it should resolve problem...but
                              it wont

!!!!!THIS IS IMPORTANT!!!!
when I set all INPUT ACCETP then it works. So there is no problem with
snmp and MRTG but with my iptables config :/

                                         
I use:
NET-SNMP version:  5.0.7
iptables v1.2.6a

This is my iptables config:


insmod ip_conntrack
insmod ip_conntrack_ftp

iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dport 22 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp -m multiport --dport 21,80,161,3128 -j ACCEPT
iptables -A INPUT -i eth1 -p udp -m multiport --dport 80,67,161 -j ACCEPT

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp -m multiport --dport 21,22,25,110,1111,6112 -j ACCEPT
iptables -A FORWARD -i eth1 -p udp -m multiport --dport 53,6112,13073,23083,23073 -j ACCEPT

iptables -I INPUT -p icmp --icmp-type echo-request -s 0.0.0.0/0 -m limit --limit 1/s -j ACCEPT
iptables -I INPUT -p icmp --icmp-type echo-request -s 0.0.0.0/0 -j DROP


#===NAT=================================================================================
modprobe iptable_nat
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward


Will be thankful for any good advice

-- 
Best regards,
   mailto:netfilter_user@o2.pl



^ permalink raw reply	[flat|nested] 4+ messages in thread

* SNMP and IPTABLES
@ 2003-08-02 11:05 netfilter_user
  2003-08-02 13:28 ` Chris Wilson
  0 siblings, 1 reply; 4+ messages in thread
From: netfilter_user @ 2003-08-02 11:05 UTC (permalink / raw)
  To: netfilter

hello everyone,

This is my problem:

As a gateway in my network is a PC with Linux ( Slackware 8.1 ), and
also on this machine is installed MRTG that listen for SNMP. I want to use SNMP
only in local ( internal ) network. I know that SNMP
use 161 and 162 port. There are no problems with comunication between
Linux machine and local hosts via SNMP.

BUT: the problem is when MRTG try to receive SNMP information from this
same machine that is installed ( MRTG is installed on Linux machine -
gateway). I dont know why because i set: iptables -A INPUT -i eth1 -p tcp -m multiport --dport 21,80,161,3128 -j ACCEPT
                                         iptables -A INPUT -i eth1 -p udp -m multiport --dport 80,67,161 -j ACCEPT
                              ...and it should resolve problem...but
                              it wont

!!!!!THIS IS IMPORTANT!!!!
when I set all INPUT ACCETP then it works. So there is no problem with
snmp and MRTG but with my iptables config :/

                                         
I use:
NET-SNMP version:  5.0.7
iptables v1.2.6a

This is my iptables config:


insmod ip_conntrack
insmod ip_conntrack_ftp

iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dport 22 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp -m multiport --dport 21,80,161,3128 -j ACCEPT
iptables -A INPUT -i eth1 -p udp -m multiport --dport 80,67,161 -j ACCEPT

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp -m multiport --dport 21,22,25,110,1111,6112 -j ACCEPT
iptables -A FORWARD -i eth1 -p udp -m multiport --dport 53,6112,13073,23083,23073 -j ACCEPT

iptables -I INPUT -p icmp --icmp-type echo-request -s 0.0.0.0/0 -m limit --limit 1/s -j ACCEPT
iptables -I INPUT -p icmp --icmp-type echo-request -s 0.0.0.0/0 -j DROP


#===NAT=================================================================================
modprobe iptable_nat
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward


Will be thankful for any good advice

-- 
Best regards,



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: SNMP and IPTABLES
  2003-08-02 11:05 netfilter_user
@ 2003-08-02 13:28 ` Chris Wilson
  0 siblings, 0 replies; 4+ messages in thread
From: Chris Wilson @ 2003-08-02 13:28 UTC (permalink / raw)
  To: netfilter_user; +Cc: netfilter

Hello netfilter_user,

> BUT: the problem is when MRTG try to receive SNMP information from this
> same machine that is installed ( MRTG is installed on Linux machine -
> gateway). I dont know why because i set: iptables -A INPUT -i eth1 -p tcp -m multiport --dport 21,80,161,3128 -j ACCEPT
>                                          iptables -A INPUT -i eth1 -p udp -m multiport --dport 80,67,161 -j ACCEPT
>                               ...and it should resolve problem...but
>                               it wont
> 
> !!!!!THIS IS IMPORTANT!!!!
> when I set all INPUT ACCETP then it works. So there is no problem with
> snmp and MRTG but with my iptables config :/

The kernel will route packets for the local machine over the "lo" device, 
not any ethernet interface. You haven't allowed packets in from the "lo" 
device, which is why SNMP (and probably other things such as pinging 
yourself) won't work.

  iptables -I INPUT -i lo -j ACCEPT

Cheers, Chris.
-- 
   ___ __     _
 / __// / ,__(_)_  | Chris Wilson -- UNIX Firewall Lead Developer |
/ (_ / ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk |
\ _//_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 |



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: SNMP and IPTABLES
  2003-08-02  9:36 SNMP and IPTABLES netfilter_user
@ 2003-08-02 22:36 ` srgqwerty
  0 siblings, 0 replies; 4+ messages in thread
From: srgqwerty @ 2003-08-02 22:36 UTC (permalink / raw)
  To: netfilter_user; +Cc: netfilter

netfilter_user wrote:

>hello everyone,
>
>This is my problem:
>
>As a gateway in my network is a PC with Linux ( Slackware 8.1 ), and
>also on this machine is installed MRTG that listen for SNMP. I want to use SNMP
>only in local ( internal ) network. I know that SNMP
>use 161 and 162 port. There are no problems with comunication between
>Linux machine and local hosts via SNMP.
>
>BUT: the problem is when MRTG try to receive SNMP information from this
>same machine that is installed ( MRTG is installed on Linux machine -
>gateway). I dont know why because i set: iptables -A INPUT -i eth1 -p tcp -m multiport --dport 21,80,161,3128 -j ACCEPT
>                                         iptables -A INPUT -i eth1 -p udp -m multiport --dport 80,67,161 -j ACCEPT
>                              ...and it should resolve problem...but
>                              it wont
>
>!!!!!THIS IS IMPORTANT!!!!
>when I set all INPUT ACCETP then it works. So there is no problem with
>snmp and MRTG but with my iptables config :/
>
>                                         
>I use:
>NET-SNMP version:  5.0.7
>iptables v1.2.6a
>
>This is my iptables config:
>
>
>insmod ip_conntrack
>insmod ip_conntrack_ftp
>
>iptables -P FORWARD DROP
>iptables -P INPUT DROP
>iptables -P OUTPUT ACCEPT
>
>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>iptables -A INPUT -p tcp -m multiport --dport 22 -j ACCEPT
>iptables -A INPUT -i eth1 -p tcp -m multiport --dport 21,80,161,3128 -j ACCEPT
>iptables -A INPUT -i eth1 -p udp -m multiport --dport 80,67,161 -j ACCEPT
>
>iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>iptables -A FORWARD -i eth1 -p tcp -m multiport --dport 21,22,25,110,1111,6112 -j ACCEPT
>iptables -A FORWARD -i eth1 -p udp -m multiport --dport 53,6112,13073,23083,23073 -j ACCEPT
>
>iptables -I INPUT -p icmp --icmp-type echo-request -s 0.0.0.0/0 -m limit --limit 1/s -j ACCEPT
>iptables -I INPUT -p icmp --icmp-type echo-request -s 0.0.0.0/0 -j DROP
>
>
>#===NAT=================================================================================
>modprobe iptable_nat
>iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
>echo 1 > /proc/sys/net/ipv4/ip_forward
>
>
>Will be thankful for any good advice
>
I think that you must accept incoming and outgoing traffic in the lo 
(127.0.0.1) device:

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT



^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2003-08-02 22:36 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-08-02  9:36 SNMP and IPTABLES netfilter_user
2003-08-02 22:36 ` srgqwerty
  -- strict thread matches above, loose matches on Subject: below --
2003-08-02 11:05 netfilter_user
2003-08-02 13:28 ` Chris Wilson

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox