And this...is why I'm not a network guy...XenoPhage wrote:When you make an SNMP query, the destination port is 161. So, side A sends a packet destined for port 161 on side B and uses an ephemeral port as it's source. So you'd have something like A:12345 -> B:161. The return traffic from that query must be sourced from port 161 and destined to the ephemeral port that A chose. So the return traffic is B:161 -> A:12345. This is what is happening, but whatever the device in the middle is seems to be rewriting the packet so the return traffic is, instead, C:161 -> A:12345. iptables has no idea what C:161 is since there was no pinhole opened for it, so it properly blocks it.CGraham wrote:The source is 161 on side A but the destination should be 161 on side B, where the firewall is. So a destination 161 rule SHOULD work (and does work when not traversing the router). Normally you'd allow the destination port on incoming and the source port on outgoing. Regardless, looks like the router is causing some heart-ache. So you can open both directions (which you'll likely need for outbound snmp checks anyway) or work with the network team to configure the router differently.
Thanks for the info Xeno.
