I have a Java application that processes SNMP traps. Traps arrive on port 162. Normally Java cannot listen on the low ports. You can use setcap to permit it or run as root but these introduce potential security issues.
I opted to have the Java process listen on port 1162. Changes will have to be performed as root.
Redirecting incoming traps with iptables
Allow SNMP traffic in:
iptables --insert INPUT --protocol udp --dport 162 --jump ACCEPT iptables --insert INPUT --protocol udp --dport 1162 --jump ACCEPT
Redirect from 162 to 1162:
iptables --table nat --append PREROUTING --in-interface eth0 --protocol udp --dport 162 --jump REDIRECT --to-port 1162
Verify changes:
iptables --table nat --list --numeric --verbose iptables --list --numeric --verbose
There are more compact forms for these commands - see the iptables man page for details.
After testing save changes to they survive a reboot:
service iptables save
Note that SNMP is UDP.
If you wanted to redirect TCP traffic (like HTTP) you would have to swap tcp for udp.
Redirecting traps on localhost
The above rules are not applied to localhost. If you want to enable that too it is easiest to add an outbound rule:
iptables --table nat --insert OUTPUT --protocol udp --out-interface lo --dport 162 --jump REDIRECT --to-ports 1162
Posts
No comments:
Post a Comment
All comments are moderated