SNMP agent
An integrated SNMP agent is available to monitor the gateway on the network.
This SNMP agent service is provided by the Net-SNMP suite.
The SNMP agent service is only supported through CLI at the moment.
Basic installation
Configure the firewall
Since the agent is reached from the outside (and acts as a server), the first step to do is to open the right port for inbound connections. By default the SNMP agent accepts UDP connections on port 161.
If you have disabled the firewall service, you don't need to configure anything. You can move to the next section.
The following procedure applies for IPv4. If you use IPv6, you need to adapt the command. More information on the firewall on the dedicated page.
Firewall modification can lead to unreachable system in case of mistake. Modify the firewall remotely only if you are sure what you are doing.
Insert a new rule in the firewall
The firewall of the LORIX OS has an ACCEPT policy by default for the inbound connections with the last rule defined to DROP. The final behavior is "deny by default" which is the most secured behavior.
It could also be done with a DROP policy but is more difficult to maintain.
For this reason, we need to INSERT the new rule before the last DROP rule.
We need to know the index where to insert the new rule and for that, we need to display all the rules:
sudo iptables -L -n --line-numberBy default, the system will return the following result or similar:
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
3 ACCEPT all -- 127.0.0.1 127.0.0.1
4 DROP all -- 127.0.0.0/8 0.0.0.0/0
5 PINGPROTECT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 /* Must stay before ACCEPT for ESTABLISHED */
6 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
7 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 3
8 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 11
9 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 12
10 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:5353
11 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 flags:0x17/0x02 state NEW
12 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 flags:0x17/0x02 state NEW
13 SSHPROTECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW
14 DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
[..]We want to insert the new rule before the "DROP all" one (the last line) and then insert this rule at the index 14.
Please be aware this index can have a different value, you need to check carefully the result.
Based on the previous result, we can insert the new rule:
sudo iptables -I INPUT 14 -p udp -m udp --dport 161 -j ACCEPTThe final result is now:
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
3 ACCEPT all -- 127.0.0.1 127.0.0.1
4 DROP all -- 127.0.0.0/8 0.0.0.0/0
5 PINGPROTECT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 /* Must stay before ACCEPT for ESTABLISHED */
6 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
7 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 3
8 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 11
9 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 12
10 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:5353
11 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 flags:0x17/0x02 state NEW
12 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 flags:0x17/0x02 state NEW
13 SSHPROTECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW
14 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:161
15 DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
[..]We can insert the new rule elsewhere in the chain but a good general strategy is to start with generic rules followed by more specific ones. The idea behind that is to reduce the rules iterated for any given packet.
Save the rules to make it persistent
The rule you have just added is only present in volatile memory for the moment until a restart. If you want to make it persistent over a reboot, you need to save the current rules into non volatile memory.
Save the rules
sudo rc-service iptables saveResult
lorix-one-aabbcc:~$ sudo rc-service iptables save
iptables | * Saving iptables state ...Configure Net-SNMP agent
The Net-SNMP agent configuration file is located in the file /etc/snmp/snmpd.conf.
You can edit it with your favorite text editor using sudo:
sudo nano /etc/snmp/snmpd.confYou can check the many possibilities of the SNMP configuration in the official references or with the many tutorials on the internet.
If the service is already started, you need to reload the configuration after the edition to take your modification into account.
Start the service
The service can be started easily thanks to the OpenRC service manager:
sudo rc-service snmpd startMake it persistent over a reboot
The previous command only starts the service for the current session but it will not be started at system boot. To make it persistent, you need to use the following command:
sudo rc-update add snmpd defaultAdditional setup
Stop the service
The service can be stopped easily thanks to the OpenRC service manager:
sudo rc-service snmpd stopMake it persistent over a reboot
The previous command only stops the service for the current session but it will start on next reboot if you made it persistent. To disable the auto start at boot, you need to use the following command:
sudo rc-update del snmpd defaultReload the configuration
When you have modified the SNMP configuration file with the service running, you can reload the new config without restarting the service. This can be done as follow:
sudo rc-service snmpd reloadRestart the service
If needed, you can restart the service as follow:
sudo rc-service snmpd restart