[SOLVED] Iptables not allowing SNMP

Stroik52 · 07-03-2012, 07:41 AM

I'm having some issues with iptables not allowing SNMPv3 to my server. The server is running RHEL4 x86. I am rather new to managing iptables so I'm unsure what is causing this. What follows is the iptables as they are now. Needless to say IPs for my machines have been replaced with the IPADDR for security reasons.

Code:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:BLOCK - [0:0]
:FILTER - [0:0]
:TRUSTED - [0:0]
-A INPUT -j BLOCK
-A INPUT -j FILTER
-A TRUSTED -s IPADDR -p tcp -m tcp --dport 161:162 -j ACCEPT
-A TRUSTED -s IPADDR -p udp -m udp --dport 161:162 -j ACCEPT
-A TRUSTED -s IPADDR -p tcp -m tcp --dport 161:162 -j ACCEPT
-A TRUSTED -s IPADDR -p udp -m udp --dport 161:162 -j ACCEPT
-A FORWARD -j BLOCK
-A FORWARD -j FILTER
-A OUTPUT -j BLOCK
-A OUTPUT -j FILTER
-A FILTER -p udp -m udp --sport 500 --dport 500 -j TRUSTED
-A FILTER -p udp -m udp --sport 4500 --dport 4500 -j TRUSTED
-A FILTER -p ipv6-crypt -j ACCEPT
-A FILTER -p ipv6-auth -j ACCEPT
-A FILTER -p tcp -m tcp --dport 7736 -j TRUSTED
-A FILTER -p tcp -m tcp --sport 7736 -j TRUSTED
-A FILTER -p tcp -m tcp --dport 22337 -j TRUSTED
-A FILTER -p tcp -m tcp --sport 22337 -j TRUSTED
-A FILTER -p tcp -m tcp --dport 22 -j TRUSTED
-A FILTER -p tcp -m tcp --sport 22 -j TRUSTED
-A FILTER -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FILTER -i ! eth2 -m state --state NEW -j ACCEPT
-A FILTER -j DROP
-A TRUSTED -s IPADDR  -j ACCEPT
-A TRUSTED -s IPADDR  -j ACCEPT
-A TRUSTED -s IPADDR -j ACCEPT
-A TRUSTED -s IPADDR -j ACCEPT
-A TRUSTED -s IPADDR -j ACCEPT
-A TRUSTED -s IPADDR -j ACCEPT

acid_kewpie · 07-03-2012, 07:50 AM

"TRUSTED" is a user created table, traffic reaching it will have had to already passed a rule in INPUT, and then another user created table, "FILTER" bit odd, but never mind.

So only traffic hitting these rules is visible:

-A FILTER -p udp -m udp --sport 500 --dport 500 -j TRUSTED
-A FILTER -p udp -m udp --sport 4500 --dport 4500 -j TRUSTED
-A FILTER -p tcp -m tcp --dport 7736 -j TRUSTED
-A FILTER -p tcp -m tcp --sport 7736 -j TRUSTED
-A FILTER -p tcp -m tcp --dport 22337 -j TRUSTED
-A FILTER -p tcp -m tcp --sport 22337 -j TRUSTED
-A FILTER -p tcp -m tcp --dport 22 -j TRUSTED
-A FILTER -p tcp -m tcp --sport 22 -j TRUSTED

and clearly none of those will cover snmp.

Based on the unusual framework you've built up, you would probably want to change

-A TRUSTED -s IPADDR -p tcp -m tcp --dport 161:162 -j ACCEPT
-A TRUSTED -s IPADDR -p udp -m udp --dport 161:162 -j ACCEPT
-A TRUSTED -s IPADDR -p tcp -m tcp --dport 161:162 -j ACCEPT
-A TRUSTED -s IPADDR -p udp -m udp --dport 161:162 -j ACCEPT

to

-A FILTER -p udp -m udp --dport 161:162 -j TRUSTED

presuming that this "IPADDR" value is also the same one in the existing "TRUSTED" entry:

-A TRUSTED -s IPADDR -j ACCEPT

and of cours,e delete all those extra identical entries in "TRUSTED"

Stroik52 · 07-03-2012, 08:19 AM

This worked out. Thanks a bunch!