Robert Spangler on 8 Apr 2011 23:26:59 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Advise on SNMP config on RHEL 5 needed; iptables command?

On Friday 08 April 2011 11:39, the following was written:

>  target     prot opt source    destination
>  ACCEPT     all  --
>  REJECT     all  --    reject-with
> icmp-host-prohibited 
> --------------- 
>  I don't see anything allowing UDP 161/162. So I would need to do:

Neither did I

>  iptables -A RH-Firewall-1-INPUT -p udp s -m udp --dport
>  161 -j ACCEPT
>  So it would only accept SNMP requests from the IP address

Not really.  the '-A' add the rule to the end of the chain and in your case 
after the REJECT line which means it would never be seen.

There are a couple of way to do this properly.

1. Use 'iptbales -L --line-number' to also see the line numbering of the rules 
in the chain.  This way you can add the line before the drop, or any other 
rule for that matter, with:

iptables -I <line number where you want it added> RH-Firewall-1-INPUT.....

2.  Use 'service iptbales save' to save the running firewall then edit the 
file '/etc/sysconfig/iptables' by hand and add the rule to the place you want 
it and then restart the firewall with 'service iptables restart'.

Option 2 is what I do.

I do see something that I would question and that would be the first rule in 
the RH chain.  It looks to be accepting everything so this makes the other 
rules useless along with the firewall as nothing is being blocked.  Which 
then I would ask what is blocking the snmp port on this system or if snmp is 
running on the system which can be checked with 'service snmpd status'.

Policy being set to ACCEPT and also mixing connection base and state based 
rules is not a good idea.  I never really liked the way RH configured the 
firewall as you might be able to tell. :)  Yeah I have been using it or a 
clone since the early days of RH.



The adventure of a lifetime.

Linux User #296285
Get Counted
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --