Monday, 27 April 2015

CentOS 6.6: redirecting SNMP traps from low ports to high ports with iptables

I have a Java application that processes SNMP traps. Traps arrive on port 162. Normally Java cannot listen on the low ports. You can use setcap to permit it or run as root but these introduce potential security issues.

I opted to have the Java process listen on port 1162. Changes will have to be performed as root.

Redirecting incoming traps with iptables

Allow SNMP traffic in:

iptables --insert INPUT --protocol udp --dport 162 --jump ACCEPT
iptables --insert INPUT --protocol udp --dport 1162 --jump ACCEPT

Redirect from 162 to 1162:

iptables --table nat --append PREROUTING --in-interface eth0 --protocol udp --dport 162 --jump REDIRECT --to-port 1162

Verify changes:

iptables --table nat --list --numeric --verbose
iptables --list --numeric --verbose

There are more compact forms for these commands - see the iptables man page for details.

After testing save changes to they survive a reboot:

service iptables save

Note that SNMP is UDP. If you wanted to redirect TCP traffic (like HTTP) you would have to swap tcp for udp.

Redirecting traps on localhost

The above rules are not applied to localhost. If you want to enable that too it is easiest to add an outbound rule:

iptables --table nat --insert OUTPUT --protocol udp --out-interface lo --dport 162 --jump REDIRECT --to-ports 1162

No comments:

Post a Comment

All comments are moderated