On Tuesday 05 November 2002 4:41 am, Ben Russo wrote: > Have a UNIX server. User wants to write programs to receive SNMPTraps. > I *thought* I could redirect incomming traffic to port 162 to a high > port, (like 4162) where the user could have his programs receive the > messages with no special privelages? > > Anyway, a completely normal box, no special firewalling rules.... > The only rule I create is: > > iptables -t nat -A POSTROUTING -p udp -m udp --dport 162 -j REDIRECT > --to-ports 4162 > > Now, the user starts his program that binds to udp port 4162 ( I can see > it with "netstat -nap" ) but he doesn't see any packets coming in. > I run tcpdump -n | grep snmptrap and I see packets coming from the > network to the server on udp port 162, and the server sending back icmp > unreachable packets back to the sources?? > > Why doesn't the redirect work? Is this rule on the machine sending the SNMP traps, or the machine receiving them ? If it's on the sender, then the problem is that REDIRECT changes the destination address to the machine the rule is on, therefore it will not get to the destination. If it's on the receiver, then the problem is that you've put the rule in the POSTROUTING chain, which is not traversed by incoming packets, so they never see the rule. >From the description above in your first paragraph it sounds like you want to run the netfilter rule on the machine which is receiving the traps, so try this instead: iptables -A PREROUTING -t nat -p udp --dport 162 -j REDIRECT --to 4162 Antony. -- There are only 10 types of people in the world: those who understand binary notation, and those who don't.
