LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 07-03-2012, 07:41 AM   #1
Stroik52
LQ Newbie
 
Registered: Jul 2010
Posts: 9

Rep: Reputation: 0
Iptables not allowing SNMP


I'm having some issues with iptables not allowing SNMPv3 to my server. The server is running RHEL4 x86. I am rather new to managing iptables so I'm unsure what is causing this. What follows is the iptables as they are now. Needless to say IPs for my machines have been replaced with the IPADDR for security reasons.

Code:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:BLOCK - [0:0]
:FILTER - [0:0]
:TRUSTED - [0:0]
-A INPUT -j BLOCK
-A INPUT -j FILTER
-A TRUSTED -s IPADDR -p tcp -m tcp --dport 161:162 -j ACCEPT
-A TRUSTED -s IPADDR -p udp -m udp --dport 161:162 -j ACCEPT
-A TRUSTED -s IPADDR -p tcp -m tcp --dport 161:162 -j ACCEPT
-A TRUSTED -s IPADDR -p udp -m udp --dport 161:162 -j ACCEPT
-A FORWARD -j BLOCK
-A FORWARD -j FILTER
-A OUTPUT -j BLOCK
-A OUTPUT -j FILTER
-A FILTER -p udp -m udp --sport 500 --dport 500 -j TRUSTED
-A FILTER -p udp -m udp --sport 4500 --dport 4500 -j TRUSTED
-A FILTER -p ipv6-crypt -j ACCEPT
-A FILTER -p ipv6-auth -j ACCEPT
-A FILTER -p tcp -m tcp --dport 7736 -j TRUSTED
-A FILTER -p tcp -m tcp --sport 7736 -j TRUSTED
-A FILTER -p tcp -m tcp --dport 22337 -j TRUSTED
-A FILTER -p tcp -m tcp --sport 22337 -j TRUSTED
-A FILTER -p tcp -m tcp --dport 22 -j TRUSTED
-A FILTER -p tcp -m tcp --sport 22 -j TRUSTED
-A FILTER -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FILTER -i ! eth2 -m state --state NEW -j ACCEPT
-A FILTER -j DROP
-A TRUSTED -s IPADDR  -j ACCEPT
-A TRUSTED -s IPADDR  -j ACCEPT
-A TRUSTED -s IPADDR -j ACCEPT
-A TRUSTED -s IPADDR -j ACCEPT
-A TRUSTED -s IPADDR -j ACCEPT
-A TRUSTED -s IPADDR -j ACCEPT
 
Old 07-03-2012, 07:50 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,390

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
"TRUSTED" is a user created table, traffic reaching it will have had to already passed a rule in INPUT, and then another user created table, "FILTER" bit odd, but never mind.

So only traffic hitting these rules is visible:


-A FILTER -p udp -m udp --sport 500 --dport 500 -j TRUSTED
-A FILTER -p udp -m udp --sport 4500 --dport 4500 -j TRUSTED
-A FILTER -p tcp -m tcp --dport 7736 -j TRUSTED
-A FILTER -p tcp -m tcp --sport 7736 -j TRUSTED
-A FILTER -p tcp -m tcp --dport 22337 -j TRUSTED
-A FILTER -p tcp -m tcp --sport 22337 -j TRUSTED
-A FILTER -p tcp -m tcp --dport 22 -j TRUSTED
-A FILTER -p tcp -m tcp --sport 22 -j TRUSTED

and clearly none of those will cover snmp.

Based on the unusual framework you've built up, you would probably want to change


-A TRUSTED -s IPADDR -p tcp -m tcp --dport 161:162 -j ACCEPT
-A TRUSTED -s IPADDR -p udp -m udp --dport 161:162 -j ACCEPT
-A TRUSTED -s IPADDR -p tcp -m tcp --dport 161:162 -j ACCEPT
-A TRUSTED -s IPADDR -p udp -m udp --dport 161:162 -j ACCEPT


to

-A FILTER -p udp -m udp --dport 161:162 -j TRUSTED

presuming that this "IPADDR" value is also the same one in the existing "TRUSTED" entry:

-A TRUSTED -s IPADDR -j ACCEPT

and of cours,e delete all those extra identical entries in "TRUSTED"
 
Old 07-03-2012, 08:19 AM   #3
Stroik52
LQ Newbie
 
Registered: Jul 2010
Posts: 9

Original Poster
Rep: Reputation: 0
This worked out. Thanks a bunch!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTables :: Allowing passive FTP Swakoo Linux - Security 4 04-19-2007 10:26 PM
iptables selectively allowing ports through mrsteveman1 Linux - Networking 1 06-21-2006 09:50 AM
iptables allowing a range adm1329 Linux - Networking 2 02-01-2005 01:04 PM
Iptables not allowing outbound https john8675309 Linux - Software 3 09-13-2004 10:41 PM
iptables not allowing domain connection Dogface1SG Linux - Networking 2 11-08-2003 12:03 PM


All times are GMT -5. The time now is 09:16 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration