On Tue, 20 Mar 2012 09:08:36 +0100 Zeljko wrote:
ZM> On Thu, 1 Mar 2012 20:52 Robert wrote:
ZM> RS> If it's a linux box with iptables, google for 'iptables packet mangle'
ZM> RS> and you should get lots of good information. Since you've got a
ZM> RS> fixed destination and multiple 'sources', what i'd do would be
ZM> RS> to run snmptrap to send traps to the address you want as the
ZM> RS> source, and then have iptables mangle all traps packets,
ZM> RS> changing the destination address to be the source address of the
ZM> RS> packet, and setting the destination to the fixed receiver/client
address.
ZM>
ZM>
ZM> Robert, Dave, Magnus and Erik thank you very much for your helpful
ZM> answers/suggestions. Francis (my colleague) thanks for an
ZM> implementation in Linux.
ZM>
ZM> My problem is now solved as in attachment "NETadmin_notification.doc"
On Tue, 20 Mar 2012 16:02 Robert wrote:
RS> Glad to hear it. Is it ok if we document your solution in our wiki?
Yes, it is OK.
Additionally,
I've attached the file "v2c_pa2.txt" which is an implementation of the command
"v2c"
in Linux machine done by Francis
BR / Zeljko
#!/bin/bash
#
----------------------------------------------------------------------------------------
# This is a quick and dirty solution to allow sending snmp
# version 2 traps pretending that the trap comes from the equipment supposed
# to send it (The receiver MUST beleive that it comes from the real equipment).
#
# The only solution that was proposed (and possible) was source IP spoofing.
# As suggested by other contributors, the solution would be in using iptables
# (Mangle tables were proposed but this would not work) on the linux box
# where we originate the trap.
#
# The solution was to write a little front-end script that would take the
required snmptrap
# parameters (the default values needed by Zeljko being hard coded in the
script) + the
# required source IP address for the trap (the IP address that we will do
spoofing with).
#
# The script must be run by 'root' user because it must manipulate the iptables.
# The snmptrap command path must be in the calling user $PATH variable.
#
# The script is overly simple, does not properly handle STRING parameters that
should
# contain spaces and is certainly lacking other 'features'. It should, however,
give
# you the idea ...
#
#
----------------------------------------------------------------------------------------
TRAP_RECEIVER="10.140.20.69"
TRAP_FIXED_PARAMS="-v 2c -c public"
# For some cloured outputs ....
ESC=`echo -e "\e"`
red="${ESC}[31m"
green="${ESC}[32m"
norm="${ESC}[0m"
# Must be run as root because it must modify ip tables
if [ `whoami` != "root" ]
then
cat <<EOF
$red
Error:
You must be root to use this command !
Please execute 'sudo bash' first...
$norm
EOF
exit 1
fi
if [ $# -lt 2 ]
then
cat <<EOF
$red
Error:
This command requires arguments !
Arg 1: should be the trap source address (equipment address)
Arg 2 to Arg n: should be arguments valid for the 'snmptrap -v 2c' command
$norm
EOF
exit 1
fi
# Simple, no checks on the parameter ! If it is not a proper IP, the iptables
command will choke
# and give an error description.
SRC=$1
shift # get rid of the first parameter (Source IP)
# and let the snmptrap check the rest
# Note: parameters like 's "This is a string"' or
# 's \"This is a string\"' will not work.
# Use 's This_is_a_string' or, if you need spaces, then correct this
script ...
# Rule insertion
iptables -t nat -A POSTROUTING -d $TRAP_RECEIVER -p udp --dport 162 -j SNAT
--to $SRC
rc=$?
if [ $rc -ne 0 ]
then
cat <<EOF
$red
Error:
iptables rules installation failed.
You probably did not supply a proper source IP address.
Please refer to the error messages from the iptables command above ...
$norm
EOF
# for extra safety !
iptables -t nat -A POSTROUTING -d $TRAP_RECEIVER -p udp --dport 162 -j
SNAT --to $SRC &>/dev/null
exit 1
fi
snmptrap $TRAP_FIXED_PARAMS $TRAP_RECEIVER '' $*
rc=$?
if [ $rc -ne 0 ]
then
cat <<EOF
$red
Error:
snmptrap command failed !!! Trap was not sent.
Please refer to the error messages from the snmptrap command above ...
$norm
EOF
else
cat <<EOF
$green
Command OK. It was sent as:
snmptrap $TRAP_FIXED_PARAMS $TRAP_RECEIVER '' $*
$norm
EOF
fi
# Leave some time to be sure snmptrap went thru iptables filters
[ $rc -eq 0 ] && sleep 2
# Remove the current rules
iptables -t nat -D POSTROUTING -d ${TRAP_RECEIVER} -p udp --dport 162 -j SNAT
--to $SRC
exit $rc
------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
Net-snmp-coders mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
