Linux iptables - redirecting (or forwarding?) packets issue with SNMP traps received (port 162)
Qbw908
Good afternoon. Am trying to redirect packets that go from an old
monitoring server to a new snmp monitoring server. Instead of
reconfiguring hundreds of devices, would just like to send the
original packets with the original source information to the new
monitoring system keeping the original source IP. Wouldn't the below
just change the destination IP once it hits my server?
Not sure how I get iptables to perform the redirect/forwarding
function. Cannot seem to get it to work forwarding from port 162 to
the new destination IP/port 162:
[root@monitor ~]$ sudo /sbin/iptables -t nat -A PREROUTING -i bond0 -p
udp --dport 162 -j DNAT --to-destination 1.1.1.1:162
RESULTS
-------------------------
Chain PREROUTING (policy ACCEPT 16M packets, 827M bytes)
pkts bytes target prot opt in out source
destination
0 0 DNAT udp -- bond0 * 0.0.0.0/0
0.0.0.0/0 udp dpt:162 to:1.1.1.1:162
...............
[root@monitor ~]$ sudo /sbin/iptables -t nat -A PREROUTING -i bond0 -p
udp --dport 162 -j DNAT --to-destination 1.1.1.1
Chain PREROUTING (policy ACCEPT 17M packets, 850M bytes)
pkts bytes target prot opt in out source
destination
6056 770K DNAT udp -- bond0 * 0.0.0.0/0
0.0.0.0/0 udp dpt:162 to:1.1.1.1
Chain POSTROUTING (policy ACCEPT 502M packets, 45G bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 502M packets, 45G bytes)
pkts bytes target prot opt in out source
destination
[root@monitor ~]$ uname -a
Linux nms1.monitor 2.6.18-194.17.4.el5PAE #1 SMP Mon Oct 25 16:35:27
EDT 2010 i686 i686 i386 GNU/Linux
As you can see, there is nothing else setup in iptables. What am I
doing wrong? Thank you.
Sincerely,
George
J.O. Aho
> All,
>
> Good afternoon. Am trying to redirect packets that go from an old
> monitoring server to a new snmp monitoring server.
Thought of switching IP so the new one gets the old ones?
Other alternatives would be ssh tunnel, but it's a bit tricky if it closes,
which sometimes can happen a bit unexpectedly.
Instead of
> reconfiguring hundreds of devices, would just like to send the
> original packets with the original source information to the new
> monitoring system keeping the original source IP. Wouldn't the below
> just change the destination IP once it hits my server?
>
> Not sure how I get iptables to perform the redirect/forwarding
> function. Cannot seem to get it to work forwarding from port 162 to
> the new destination IP/port 162:
>
>
> [root@monitor ~]$ sudo /sbin/iptables -t nat -A PREROUTING -i bond0 -p
> udp --dport 162 -j DNAT --to-destination 1.1.1.1:162
just a question, if you are already root, why do you use sudo?
When I have used port redirection, always used two iptables rules
iptables -t nat -A PREROUTING -i bond0 -p udp -m udp --dport 162 -j DNAT
--to-destination 1.1.1.1:162
iptables -A INPUT -i bond0 -p udp -m udo --dport 162 -j ACCEPT
Can't tell you why and such, iptables never been my best side, just copy paste
from old firestarter rules.
--
//Aho
Jan Kandziora
>
> As you can see, there is nothing else setup in iptables.
>
there's "filter" and "mangle", too.
Kind regards
Jan
Martin
> Chain PREROUTING (policy ACCEPT 17M packets, 850M bytes)
> pkts bytes target prot opt in out source
> destination
> 6056 770K DNAT udp -- bond0 * 0.0.0.0/0
> 0.0.0.0/0 udp dpt:162 to:1.1.1.1
>
> Chain POSTROUTING (policy ACCEPT 502M packets, 45G bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain OUTPUT (policy ACCEPT 502M packets, 45G bytes)
> pkts bytes target prot opt in out source
> destination
there's still chain FORWARD in table filter, the routing table and
/proc/sys/net/ipv4/ip_forward to take care of...
Martin
Pascal Hambourg
J.O. Aho a ï¿œcrit :
>
> When I have used port redirection, always used two iptables rules
>
> iptables -t nat -A PREROUTING -i bond0 -p udp -m udp --dport 162 -j DNAT
> --to-destination 1.1.1.1:162
> iptables -A INPUT -i bond0 -p udp -m udp --dport 162 -j ACCEPT
If the new destination is remote, then the correct chain for the second
rule must be FORWARD, not INPUT. However it is not needed if there is no
filtering.
Qbw908
there is no output when performing the INPUT in the iptables for the
command iptables -A INPUT -i bond0 -p udp -m udp --dport 162 -j
ACCEPT:
commands (since I did not login as root)
----------------------------------------------------------
[user@test ~]$ sudo /sbin/iptables -t nat -A PREROUTING -i bond0 -p
udp -m udp --dport 162 -j DNAT --to-destination 1.1.1.1:162
[user@test ~]$ sudo /sbin/iptables -A INPUT -i bond0 -p udp -m udp --
dport 162 -j ACCEPT
ENTIRE IPTABLES CONTENT:
--------------------------------------------
[user@test ~]$ sudo /sbin/iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 19M packets, 936M bytes)
pkts bytes target prot opt in out source
destination
0 0 DNAT udp -- bond0 * 0.0.0.0/0
0.0.0.0/0 udp dpt:162 to:1.1.1.1:162
Chain POSTROUTING (policy ACCEPT 585M packets, 52G bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 585M packets, 52G bytes)
pkts bytes target prot opt in out source
destination
Should I have been able to see something in iptables -L regarding the
INPUT? Thanks.
Sincerely,
George
Martin
> [user@test ~]$ sudo /sbin/iptables -t nat -A PREROUTING -i bond0 -p
> udp -m udp --dport 162 -j DNAT --to-destination 1.1.1.1:162
> [user@test ~]$ sudo /sbin/iptables -A INPUT -i bond0 -p udp -m udp --
> dport 162 -j ACCEPT
Your first post made it sound like 1.1.1.1 is a different machine in which
case you should read my previous reply. Regarding the missing rule:
> [user@test ~]$ sudo /sbin/iptables -t nat -L -n -v
This only lists table "nat". if you want to list table "filter" you need
"iptables -L" or "iptables -t filter -L".
If you're interested in more details, you might wanna read section "How to
configure NAT" in http://www.frogge.de/pepper/linux/linuxrouter_config.html
.
Martin
Qbw908
Good morning. Here is the entire table. But this was after performing
the following, and still did not see the packets get forwarding when
checking the outgoing port:
SETUP ON FORWARDING-SERVER
------------------------
[root@test ~]$ sudo /sbin/iptables -A PREROUTING -t nat -p udp --dport
162 -j DNAT --to y.y.y.y:162
[root@test ~]$ sudo /sbin/iptables -A FORWARD -p udp --dport 162 -d
y.y.y.y -j ACCEPT
THIS DID NOT HELP EITHER:
------------------------
[root@test ~]$ sudo /sbin/iptables -A INPUT -i bond0 -p udp -m udp --
dport 162 -j ACCEPT
[root@test ~]$ sudo /sbin/iptables -L -n -v -t nat
Chain PREROUTING (policy ACCEPT 19M packets, 953M bytes)
pkts bytes target prot opt in out source
destination
17 2708 DNAT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:162 to:y.y.y.y:162
MONITORING FROM FORWARDING-SERVER TO HOST y.y.y.y
------------------------------------------------------------------
[root@test ~]$ sudo /usr/sbin/tcpdump host y.y.y.y
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
<- DOES NOT GIVE INFO AFTER THIS
0 packets captured
3 packets received by filter
0 packets dropped by kernel
FULL TABLE
--------------------------------------------------------------------------------------------------
[root@test ~]$ sudo /sbin/iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
BLAH tcp -- anywhere anywhere tcp dpt:xxxxx
P tcp -- anywhere anywhere tcp dpt:xxxx
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- sr--sdxx anywhere
ACCEPT all -- sr--dirxx anywhere
ACCEPT udp -- x.name.net anywhere udp dpt:snmp
ACCEPT all -- xx.name.net anywhere
ACCEPT all -- xx.name.net anywhere
ACCEPT tcp -- name.net anywhere tcp dpt:http
ACCEPT all -- xx-xx-xx-xxx. anywhere
ACCEPT all -- xx.xxx.xx.xxx anywhere
ACCEPT all -- xx.name.net anywhere
ACCEPT all -- xxx.xxx.xxx.xxx/xx anywhere
ACCEPT all -- t.name.net anywhere
ACCEPT all -- t.name.net anywhere
ACCEPT all -- t.name.net anywhere
ACCEPT all -- t.name.net anywhere
ACCEPT all -- t.name.net anywhere
ACCEPT all -- t.name.net anywhere
ACCEPT all -- xxx.xxx.x.xx anywhere
ACCEPT all -- xx.xxx.xxx.x/xx anywhere
ACCEPT all -- xx.xxx.xxx.x/xx anywhere
ACCEPT all -- xx.xx.xxx.xxx/xx anywhere
ACCEPT all -- xx.xx.xxx.xxx/xx anywhere
ACCEPT all -- xx.xx.xxx.xxx/xx anywhere
ACCEPT all -- xx.xx.xxx.xxx/xx anywhere
ACCEPT all -- adsl-xxx-xx-xxx-xx.net anywhere
ACCEPT all -- adsl-xxx-xx-xxx-xx.net anywhere
ACCEPT all -- s.name.net anywhere
ACCEPT all -- s.name.net anywhere
ACCEPT all -- n.name.net anywhere
ACCEPT all -- n.name.net anywhere
ACCEPT all -- m.name.net anywhere
ACCEPT all -- n.name.net anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- admin anywhere tcp dpt:http
ACCEPT tcp -- admin anywhere tcp dpt:http
ACCEPT tcp -- admin anywhere tcp dpt:https
ACCEPT tcp -- admin anywhere tcp dpt:https
ACCEPT tcp -- xx.name.net anywhere tcp dpt:postgres
ACCEPT tcp -- x.name.net anywhere tcp dpt:postgres
ACCEPT tcp -- x.name.net anywhere tcp dpt:mysql
ACCEPT all -- t.name.net anywhere
ACCEPT all -- t.name.net anywhere
ACCEPT all -- xx anywhere
ACCEPT all -- xx.xxx.xxx.x/xx anywhere
ACCEPT all -- xx.xxx.xxx.x/xx anywhere
ACCEPT all -- s.name.net anywhere
ACCEPT udp -- f.name.net anywhere udp dpt:davsrc
ACCEPT tcp -- xx.xxx.xxx.xxx anywhere tcp
dpt:http
ACCEPT tcp -- xx.xxx.xxx.xxx anywhere tcp
dpt:http
ACCEPT tcp -- xx.xxx.xxx.xxx anywhere tcp
dpt:https
ACCEPT tcp -- xx.xxx.xxx.xxx anywhere tcp
dpt:https
ACCEPT udp -- xx.name.net anywhere udp dpt:syslog
ACCEPT udp -- xx.name.net anywhere udp dpt:syslog
LOG all -- anywhere anywhere LOG level
info prefix `INPUT REJECT '
REJECT all -- anywhere anywhere reject-
with icmp-host-prohibited
ACCEPT udp -- anywhere anywhere udp
dpt:snmptrap
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT udp -- anywhere xx.xx.xx.xxx udp
dpt:snmptrap
ACCEPT udp -- anywhere xx.xx.xx.xxx udp
dpt:snmptrap
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
NEW,RELATED,ESTABLISHED
Chain BLAH (x references)
target prot opt source destination
ACCEPT all -- xxx.xxx.xx.xxx/xx anywhere
ACCEPT all -- xxx.xxx.xxx.xxx/xx anywhere
ACCEPT all -- xxx.xx.xxx.xxx/xx anywhere
ACCEPT all -- xx.xxx.xxx.xx anywhere
ACCEPT all -- xx.xx.xxx.xxx/xx anywhere
ACCEPT all -- xx.xxx.xxx.xx/xx anywhere
Chain P (x references)
target prot opt source destination
ACCEPT all -- pool-xx-xxx-xx-xxx-w anywhere
ACCEPT all -- x.name.net anywhere
Chain SNMPTRAP (x references)
target prot opt source destination
ACCEPT all -- xx.xxx.xxx.x/xx anywhere
ACCEPT all -- x.name.net anywhere
ACCEPT all -- xx.xx.xx.x/xx anywhere
ACCEPT all -- xx.xxx.xxx.x/xx anywhere
ACCEPT all -- xx.xx.xxx.x/xx anywhere
ACCEPT all -- xx.xx.x.x/xx anywhere
ACCEPT all -- xx.xxx.xxx.x/xx anywhere
ACCEPT all -- xx.xxx.xx.x/xx anywhere
ACCEPT all -- xxx.xxx.xxx.x/xx anywhere
ACCEPT all -- xx.xxx.xxx.x/xx anywhere
ACCEPT all -- xx.xx.xxx.x/xx anywhere
ACCEPT all -- xx.xx.xxx.x/xx anywhere
ACCEPT all -- xx.xx.xxx.x/xx anywhere
ACCEPT all -- xx.xxx.xxx.x/xx anywhere
ACCEPT all -- xxx.xxx.x.x/xx anywhere
ACCEPT all -- xxx.xx.xx.x/xx anywhere
ACCEPT all -- xx.xxx.xxx.x/xx anywhere
ACCEPT all -- xxx.xx.xxx.x/xx anywhere
ACCEPT all -- xx.xxx.xx.x/xx anywhere
ACCEPT all -- xxx.xxx.xxx.x/xx anywhere
ACCEPT all -- xxx.xxx.xx.x/xx anywhere
Martin
> still did not see the packets get forwarding when
> checking the outgoing port:
do you have a route defined in the routing table, and does
/proc/sys/net/ipv4/ip_forward contain the value 1?
Martin