Re: [PLUG] Advise on SNMP config on RHEL 5 needed; iptables command?

Robert Spangler on 8 Apr 2011 23:26:59 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Advise on SNMP config on RHEL 5 needed; iptables command?

From: Robert Spangler <mlists@zoominternet.net>
To: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Subject: Re: [PLUG] Advise on SNMP config on RHEL 5 needed; iptables command?
Date: Sat, 9 Apr 2011 02:26:52 -0400
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: plug-bounces@lists.phillylinux.org
User-agent: KMail/1.9.4

On Friday 08 April 2011 11:39, the following was written:

>  target     prot opt source    destination
>  ACCEPT     all  --  0.0.0.0/0 0.0.0.0/0
[...]
>  REJECT     all  --  0.0.0.0/0 0.0.0.0/0    reject-with
> icmp-host-prohibited 
> --------------- 
>
>  I don't see anything allowing UDP 161/162. So I would need to do:

Neither did I

>  iptables -A RH-Firewall-1-INPUT -p udp s xxx.xxx.xxx.xxx -m udp --dport
>  161 -j ACCEPT
>  
>  So it would only accept SNMP requests from the IP address xxx.xxx.xxx.xxx?

Not really.  the '-A' add the rule to the end of the chain and in your case 
after the REJECT line which means it would never be seen.

There are a couple of way to do this properly.

1. Use 'iptbales -L --line-number' to also see the line numbering of the rules 
in the chain.  This way you can add the line before the drop, or any other 
rule for that matter, with:

iptables -I <line number where you want it added> RH-Firewall-1-INPUT.....


2.  Use 'service iptbales save' to save the running firewall then edit the 
file '/etc/sysconfig/iptables' by hand and add the rule to the place you want 
it and then restart the firewall with 'service iptables restart'.

Option 2 is what I do.

I do see something that I would question and that would be the first rule in 
the RH chain.  It looks to be accepting everything so this makes the other 
rules useless along with the firewall as nothing is being blocked.  Which 
then I would ask what is blocking the snmp port on this system or if snmp is 
running on the system which can be checked with 'service snmpd status'.

Policy being set to ACCEPT and also mixing connection base and state based 
rules is not a good idea.  I never really liked the way RH configured the 
firewall as you might be able to tell. :)  Yeah I have been using it or a 
clone since the early days of RH.


-- 

Regards
Robert

Linux
The adventure of a lifetime.

Linux User #296285
Get Counted
http://counter.li.org/
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

References:
- [PLUG] Advise on SNMP config on RHEL 5 needed
  - From: Mike Leone <turgon@mike-leone.com>
- Re: [PLUG] Advise on SNMP config on RHEL 5 needed
  - From: Kevin McAllister <kevin@mcallister.ws>
- Re: [PLUG] Advise on SNMP config on RHEL 5 needed; iptables command?
  - From: Mike Leone <turgon@mike-leone.com>

Prev by Date: Re: [PLUG] Advise on SNMP config on RHEL 5 needed; iptables command?
Next by Date: [PLUG] [OT] Opinion on MSI laptops
Previous by thread: Re: [PLUG] Advise on SNMP config on RHEL 5 needed; iptables command?
Next by thread: [PLUG] CSET '11 Submission Deadline Is Monday, April 18
Index(es):
- Date
- Thread