An integrated SNMP agent is available to monitor the gateway on the network.

This SNMP agent service is provided by the Net-SNMP suite.

The SNMP agent service is not installed on the LORIX One 256MB memory version since there is not enough space left.

The SNMP agent service is only supported through CLI at the moment.

Basic installation

Configure the firewall

Since the agent is reached from the outside (and acts as a server), the first step to do is to open the right port for inbound connections. By default the SNMP agent accepts UDP connections on port 161.

If you have disabled the firewall service, you don't need to configure anything. You can move to the next section.

The following procedure applies for IPv4. If you use IPv6, you need to adapt the command. More information on the firewall on the dedicated page.

Firewall modification can lead to unreachable system in case of mistake. Modify the firewall remotely only if you are sure what you are doing.

Insert a new rule in the firewall

The firewall of the LORIX OS has an ACCEPT policy by default for the inbound connections with the last rule defined to DROP. The final behavior is "deny by default" which is the most secured behavior. 

It could also be done with a DROP policy but is more difficult to maintain.

For this reason, we need to INSERT the new rule before the last DROP rule. 

We need to know the index where to insert the new rule and for that, we need to display all the rules:

sudo iptables -L -n --line-number
CODE

By default, the system will return the following result or similar:

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
2    DROP       all  --  0.0.0.0/0            0.0.0.0/0            state INVALID
3    ACCEPT     all  --  127.0.0.1            127.0.0.1
4    DROP       all  --  127.0.0.0/8          0.0.0.0/0
5    PINGPROTECT  icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 8 /* Must stay before ACCEPT for ESTABLISHED */
6    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
7    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 3
8    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 11
9    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 12
10   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp spt:5353
11   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 flags:0x17/0x02 state NEW
12   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443 flags:0x17/0x02 state NEW
13   SSHPROTECT  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22 state NEW
14   DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
[..]
CODE

We want to insert the new rule before the "DROP all" one (the last line) and then insert this rule at the index 14.

Please be aware this index can have a different value, you need to check carefully the result.

Based on the previous result, we can insert the new rule:

sudo iptables -I INPUT 14 -p udp -m udp --dport 161 -j ACCEPT
CODE

The final result is now:

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
2    DROP       all  --  0.0.0.0/0            0.0.0.0/0            state INVALID
3    ACCEPT     all  --  127.0.0.1            127.0.0.1
4    DROP       all  --  127.0.0.0/8          0.0.0.0/0
5    PINGPROTECT  icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 8 /* Must stay before ACCEPT for ESTABLISHED */
6    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
7    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 3
8    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 11
9    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 12
10   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp spt:5353
11   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 flags:0x17/0x02 state NEW
12   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443 flags:0x17/0x02 state NEW
13   SSHPROTECT  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22 state NEW
14   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:161
15   DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
[..]
CODE

We can insert the new rule elsewhere in the chain but a good general strategy is to start with generic rules followed by more specific ones. The idea behind that is to reduce the rules iterated for any given packet.

Save the rules to make it persistent

The rule you have just added is only present in volatile memory for the moment until a restart. If you want to make it persistent over a reboot, you need to save the current rules into non volatile memory.

Save the rules

sudo rc-service iptables save
BASH

Result

lorix-one-aabbcc:~$ sudo rc-service iptables save
iptables         | * Saving iptables state ...
BASH

Configure Net-SNMP agent

The Net-SNMP agent configuration file is located in the file /etc/snmp/snmpd.conf.


You can edit it with your favorite text editor using sudo:

sudo nano /etc/snmp/snmpd.conf
CODE

You can check the many possibilities of the SNMP configuration in the official references or with the many tutorials on the internet.

If the service is already started, you need to reload the configuration after the edition to take your modification into account.

Start the service

The service can be started easily thanks to the OpenRC service manager:

sudo rc-service snmpd start
CODE

Make it persistent over a reboot

The previous command only starts the service for the current session but it will not be started at system boot. To make it persistent, you need to use the following command:

sudo rc-update add snmpd default
CODE

Additional setup

Stop the service

The service can be stopped easily thanks to the OpenRC service manager:

sudo rc-service snmpd stop
CODE

Make it persistent over a reboot

The previous command only stops the service for the current session but it will start on next reboot if you made it persistent. To disable the auto start at boot, you need to use the following command:

sudo rc-update del snmpd default
CODE

Reload the configuration

When you have modified the SNMP configuration file with the service running, you can reload the new config without restarting the service. This can be done as follow:

sudo rc-service snmpd reload
CODE

Restart the service

If needed, you can restart the service as follow:

sudo rc-service snmpd restart
CODE