IP Tables Saga...:(

[arnab.roy]

Hi Guys,

I have a bizarre one here, setting up an XI server at a customer site for monitoring their stuff, I was happily all the network switches until we needed to cross subnet boundaries and add switches from a different subnet , it looks like iptables is somehow managing to block snmp queries from other subnets, just confirm I can ssh and ping to the remote hosts only SNNP problems...

here is my rule chain output

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT udp -- anywhere anywhere state NEW udp dpt:snmp
ACCEPT udp -- anywhere anywhere state NEW udp dpt:snmptrap
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Any suggestions how I can fix this without permanently shutting down iptables ...

Many Thanks
Arnab

[lmiltchev]

Have you confirmed that it's working when iptables is stopped?

[arnab.roy]

Yes snmpwalk works a treat as soon as I hit service iptables stop !!!

[arnab.roy]

This is not resolved by the way dont know why the tick was put next to the post...:p

[XenoPhage]

Add a log line before the reject in your input chain. That should provide you some logging to identify what, exactly, is being blocked.

[scottwilkerson]

I don't have these 2 lines in my iptables and can make the requests just fine

Code: Select all

ACCEPT udp -- anywhere anywhere state NEW udp dpt:snmp
ACCEPT udp -- anywhere anywhere state NEW udp dpt:snmptrap

this should fall under

Code: Select all

ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

As the Nagios server is initiating the connection, and the connection isn't going into the XI server on the snmp port, it is connecting to the external server on that port..

[arnab.roy]

this is only happenning if the remote host is on another l3 subnet devices on the same subnet works just fine....

[scottwilkerson]

I would think this was related to an external router blocking the UDP traffic if you hadn't said it works fine with IP tables turned off...

Are you running the same test with iptables on and off?

Also, I'm going to ask a question that may be totally unrelated, but is selinux enabled on the system?

I only ask because it seems to creep in and break things all the time...

[arnab.roy]

hi scott,

yes i also thought this was related to an external router etc ..however after troubleshooting the whole network across 10ss of routers ..it turned out to be iptables...selinux as far as i know should be off doesnt the xi install script get rid of it i will double check, can you tell me how i can see what packets are being dropped by iptables ?

cheers

arnab

[XenoPhage]

hi scott,

yes i also thought this was related to an external router etc ..however after troubleshooting the whole network across 10ss of routers ..it turned out to be iptables...selinux as far as i know should be off doesnt the xi install script get rid of it i will double check, can you tell me how i can see what packets are being dropped by iptables ?

cheers

arnab

Before the DROP rule, add a rule to log :

-A INPUT -j LOG --log-prefix 'Firewall: '

Then all dropped packets will appear in /var/log/messages