IP Tables - Can't access devices when IP Tables are active

Support for security such as Firewalls and securing linux
DateMike
Posts: 26
Joined: 2016/12/07 06:24:03

IP Tables - Can't access devices when IP Tables are active

Post by DateMike » 2017/02/06 05:50:22

Hi Guys,

Looking for some help here,

I'm trying to access devices from my Centos 6.7 Server, specifically via SNMP.

When my IP Tables are active I can't access the SNMP of the device but I can ping it, when IP Tables are disabled SNMP works fine.

See IPtables below:

Code: Select all

:INPUT DROP [1:328]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1:152]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 12001 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 12002 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 12003 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 12004 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 12005 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 12006 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 12009 -j ACCEPT
-A INPUT -p udp -m udp --dport 162 -j ACCEPT
-A INPUT -p udp -m udp --dport 161 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5432 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
With Iptables on:

Code: Select all

snmpwalk -v 2c -c public 10.0.0.51
Timeout: No Response from 10.0.0.51
With iptables off:

Code: Select all

 snmpwalk -v 2c -c public 10.0.0.51
SNMPv2-MIB::sysDescr.0 = STRING: Device Description
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.3184.1.14
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (84772) 0:14:07.72
SNMPv2-MIB::sysContact.0 = STRING:
SNMPv2-MIB::sysName.0 = STRING: Device Name
SNMPv2-MIB::sysLocation.0 = STRING:
SNMPv2-MIB::sysServices.0 = INTEGER: 7
Any ideas on how to get it working with iptables running?

Thanks,

User avatar
jlehtone
Posts: 2379
Joined: 2007/12/11 08:17:33
Location: Finland

Re: IP Tables - Can't access devices when IP Tables are active

Post by jlehtone » 2017/02/06 09:45:34

On el7 the firewalld has two snmp* service definitions:

Code: Select all

$ sudo firewall-cmd --info-service=snmp
snmp
  ports: 161/tcp 161/udp
  protocols: 
  source-ports: 
  modules: 
  destination: 
$ sudo firewall-cmd --info-service=snmptrap
snmptrap
  ports: 162/tcp 162/udp
  protocols: 
  source-ports: 
  modules: 
  destination: 
You do have both ports 161 and 162 open for UDP, while the definitions above open both UDP and TCP.

One debug technique is to listen an interface (with tcpdump, etc) while a connection is attempted; you will see the incoming packages and their destination before netfilter.

DateMike
Posts: 26
Joined: 2016/12/07 06:24:03

Re: IP Tables - Can't access devices when IP Tables are active

Post by DateMike » 2017/02/06 10:44:55

Hi jlehtone,

I added the ports via TCP as well to the iptables with no changed results.
Cheers,

User avatar
TrevorH
Forum Moderator
Posts: 26915
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: IP Tables - Can't access devices when IP Tables are active

Post by TrevorH » 2017/02/06 11:23:42

What I notice is that your rules are upside down and the last two should really be first.

Code: Select all

-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Those two should be at the top of the list.

In addition, I'd recommend adding -m state --state NEW to all your other rules so that they match in future off the RELATED,ESTABLISHED one at the top.
CentOS 5 died in March 2017 - migrate NOW!
CentOS 6 goes EOL sooner rather than later, get upgrading!
Full time Geek, part time moderator. Use the FAQ Luke

DateMike
Posts: 26
Joined: 2016/12/07 06:24:03

Re: IP Tables - Can't access devices when IP Tables are active

Post by DateMike » 2017/02/07 05:34:02

Hi Trevor,

Do you mean like this?

Code: Select all

:INPUT DROP [1:328]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1:152]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -p tcp -m tcp --dport 12001 -j ACCEPT
-A INPUT -m state --state NEW -p tcp -m tcp --dport 12002 -j ACCEPT
-A INPUT -m state --state NEW -p tcp -m tcp --dport 12003 -j ACCEPT
-A INPUT -m state --state NEW -p tcp -m tcp --dport 12004 -j ACCEPT
-A INPUT -m state --state NEW -p tcp -m tcp --dport 12005 -j ACCEPT
-A INPUT -m state --state NEW -p tcp -m tcp --dport 12006 -j ACCEPT
-A INPUT -m state --state NEW -p tcp -m tcp --dport 12009 -j ACCEPT
-A INPUT -m state --state NEW -p udp -m udp --dport 162 -j ACCEPT
-A INPUT -m state --state NEW -p tcp -m tcp --dport 162 -j ACCEPT
-A INPUT -m state --state NEW -p udp -m udp --dport 161 -j ACCEPT
-A INPUT -m state --state NEW -p tcp -m tcp --dport 161 -j ACCEPT
-A INPUT -m state --state NEW -p tcp -m tcp --dport 5432 -j ACCEPT
-A INPUT -m state --state NEW -p icmp -m icmp --icmp-type any -j ACCEPT
Cheers,

User avatar
TrevorH
Forum Moderator
Posts: 26915
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: IP Tables - Can't access devices when IP Tables are active

Post by TrevorH » 2017/02/07 07:34:26

Yes.
CentOS 5 died in March 2017 - migrate NOW!
CentOS 6 goes EOL sooner rather than later, get upgrading!
Full time Geek, part time moderator. Use the FAQ Luke

DateMike
Posts: 26
Joined: 2016/12/07 06:24:03

Re: IP Tables - Can't access devices when IP Tables are active

Post by DateMike » 2017/02/07 08:44:46

Hi Trevor,

I have updated the iptables as above, however still unable to connect to snmp of devices with IPtables up.

Regards,

User avatar
TrevorH
Forum Moderator
Posts: 26915
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: IP Tables - Can't access devices when IP Tables are active

Post by TrevorH » 2017/02/07 09:29:39

And netstat -antup | grep :161 says what?
CentOS 5 died in March 2017 - migrate NOW!
CentOS 6 goes EOL sooner rather than later, get upgrading!
Full time Geek, part time moderator. Use the FAQ Luke

DateMike
Posts: 26
Joined: 2016/12/07 06:24:03

Re: IP Tables - Can't access devices when IP Tables are active

Post by DateMike » 2017/02/07 10:55:21

Code: Select all

udp        0      0 0.0.0.0:161                 0.0.0.0:*                               32426/snmpd

User avatar
TrevorH
Forum Moderator
Posts: 26915
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: IP Tables - Can't access devices when IP Tables are active

Post by TrevorH » 2017/02/07 12:01:30

Do you have rules in the OUTPUT chain as well?
CentOS 5 died in March 2017 - migrate NOW!
CentOS 6 goes EOL sooner rather than later, get upgrading!
Full time Geek, part time moderator. Use the FAQ Luke

Post Reply

Return to “CentOS 6 - Security Support”