Iptables – SNMP query – operation not permitted

iptablesjavasnmp

I am working on API that reads a lot of data via SNMP (routes, interfaces, QoS policies, etc…). Lately, I have experienced a random error stating:

Operation not permitted

Now, I use SNMP4J as core library and cannot really pinpoint the source of error. Some Stackoverflow questions have suggested OS being unable to open sufficient number of file handles but increasing that parameter did not help much.

The strange thing is that error occurs only when iptables is up and running.

Could it be that firewall is blocking some traffic? I have tried writing JUnit test that mimicked application's logic but no errors were fired…

Any help would be appreciated! Thanks!

IPTABLES

*nat
:PREROUTING ACCEPT [2:96]
:POSTROUTING ACCEPT [68:4218]
:OUTPUT ACCEPT [68:4218]
# route redirect za SNMP Trap i syslog
-A PREROUTING -i eth0 -p udp -m udp --dport 514 -j REDIRECT --to-ports 33514 
-A PREROUTING -i eth0 -p udp -m udp --dport 162 -j REDIRECT --to-ports 33162
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT

.....

# SNMP
-A INPUT -p udp -m state --state NEW -m udp --dport 161 -j ACCEPT 

# SNMP trap
-A INPUT -p udp -m state --state NEW -m udp --dport 162 -j ACCEPT 
-A INPUT -p udp -m state --state NEW -m udp --dport 33162 -j ACCEPT 

.....

-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Best Answer

Your question isn't 100% clear but I assume your Operation not permitted error comes from inside your SNMP library on your client and means a rejection from the target host. Please clarify if you know different.

You are accepting SNMP connections from outside so the state module isn't helping. Normally it is used drop incoming packets where there was no outgoing connection. This doesn't apply so you probably want to turn state off. use the CT --notrack option (see man iptables-extensions). Having done that you will want to put rules in both directions.

-I INPUT -p udp -m udp --dport 161 -j ACCEPT
-I OUTPUT -p udp -m udp --sport 161 -j ACCEPT #only needed if you have some output blocked

This may well solve your problem.

If you want to troubleshoot then there are a number of reasons possible for iptables blocking connections which it seems the rules should permit. For example:

the state has timed out
the state doesn't fit into the state table

Since you only seem to be using UDP connections there is no real state. This means that packets coming from your client system should be accepted by your rules even if this is a "new" connection.

For sure you want to know where your iptables is dropping packets. Use

sudo iptables --list  --verbose

to look at which rules get packets. To get a clearer view you may use

sudo iptables --zero

to clear the counters and then check to see if one particular line goes up just after an error. You can then add logging rules (see e.g. https://wiki.archlinux.org/index.php/iptables#Logging) and see exactly which packet is dropped where.

At that point you can also look in your system logs and you should find some explanation.

Related Solutions

Linux – iptables port forward forwarding

You're sending the traffic to 10.52.208.221. Given the config you posted, your problem is the webserver, not the firewall. Your rules look to be correct. FORWARD and INPUT are redirected to RH-Firewall-1-INPUT where your first rule is to allow all traffic. As somebody else pointed out, you could be allowing all traffic on eth1, while the world is actually coming in eth0. Secondary, you have to NAT the traffic as it goes back out to the world

iptables --table nat --append POSTROUTING --proto tcp --dport 80 --jump MASQUERADE -o OUT_INTERFACE

Your traffic originating from the router will never hit the input or forward chains, but instead traverse the output chain on to the webserver. Other systems in that subnet will similarly go directly to the webserver. Systems out on the world at large however will traverse the INPUT / FORWARD chains and need SNAT as well as DNAT so that it appears to the world to be one machine. You still cannot test from within your network. you must test from the opposite interface from the webserver. Get me your IP addresses and I'll point you to the proper configs.

Iptables – ftp tls firewalled :(

In Passive mode, when the client wants to get a file from the server or send a file to the server, the FTP server will pick a random port and send that port to the FTP client.

When you're not using encryption, a properly configured firewall (using the ip_conntrack_ftp helper kernel module, which may be what you're missing for non-TLS connections) would "listen in" on the connection and mark these connections as RELATED. With encryption the firewall can't listen in.

The quick and dirty solution to this is to configure the FTP server to choose a small range of ports for passive connections, and then allow access to all of these ports. For instance, in vsftpd:

pasv_min_port=12000
pasv_max_port=12049

Then in iptables:

iptables -A INPUT -p tcp -m tcp -i eth0 --dport 12000:12049 -j ACCEPT

Allowing anyone to access these ports opens one possible exploit: if someone were to be scanning them over and over they might get lucky and be able to "beat" the real user to the data port and grab the file. Ideally your FTP server would check and make sure the connection is coming from the same place as the original connection, but thanks to things like "FXP" (transferring files from one server to another server by convincing one to make an active connection to the other's passive data port) some servers don't check the connection by default. You should check your configuration file and see if there is an option to disable FXP, and use it. (vsftpd calls this "promiscuous" and is disabled by default.)

Best Answer

Related Solutions

Linux – iptables port forward forwarding

Iptables – ftp tls firewalled :(

Related Topic