openwrt拦截snmp报文

SNMP使用的协议为UDP，默认端口为161和162.

使用iptables

命令如下：

iptables -A INPUT -p udp -m udp --dport 161:162 -j DROP

使用mib browser采集设备上的节点，会超时（timeout）

在串口打开tcpdump打印消息如下：

root@hbg:/# iptables -A INPUT -p udp -m udp --dport 161:162 -j DROP
root@hbg:/#
root@hbg:/#
root@hbg:/# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
DROP       udp  --  anywhere             anywhere             udp dpts:snmp:snmp-trap

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination  

root@hbg:/# tcpdump
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:12:53.215582 3c:46:d8:89:70:52 (oui Unknown) > Broadcast, RRCP-0x23 query
12:12:53.449710 STP 802.1d, Config, Flags [none], bridge-id 7fff.00:11:22:33:44:56.8001, length 35
12:12:54.215559 3c:46:d8:89:70:52 (oui Unknown) > Broadcast, RRCP-0x23 query
12:12:55.215538 3c:46:d8:89:70:52 (oui Unknown) > Broadcast, RRCP-0x23 query
12:12:55.449715 STP 802.1d, Config, Flags [none], bridge-id 7fff.00:11:22:33:44:56.8001, length 35
12:12:55.509887 LLDP, length 138: TVWS
12:12:55.899593 ARP, Request who-has 192.168.2.125 tell 192.168.2.234, length 46
12:12:55.899857 ARP, Reply 192.168.2.125 is-at 00:11:22:33:44:56 (oui Unknown), length 28
12:12:55.900431 IP 192.168.2.234.64411 > 192.168.2.125.snmp:  C=world GetNextRequest(24)  system.sysUpTime 查询报文
12:12:56.215514 3c:46:d8:89:70:52 (oui Unknown) > Broadcast, RRCP-0x23 query
12:12:57.215491 3c:46:d8:89:70:52 (oui Unknown) > Broadcast, RRCP-0x23 query
12:12:57.449707 STP 802.1d, Config, Flags [none], bridge-id 7fff.00:11:22:33:44:56.8001, length 35
12:12:58.215468 3c:46:d8:89:70:52 (oui Unknown) > Broadcast, RRCP-0x23 query
12:12:59.215445 3c:46:d8:89:70:52 (oui Unknown) > Broadcast, RRCP-0x23 query
12:12:59.449706 STP 802.1d, Config, Flags [none], bridge-id 7fff.00:11:22:33:44:56.8001, length 35
12:13:00.215421 3c:46:d8:89:70:52 (oui Unknown) > Broadcast, RRCP-0x23 query
12:13:00.898934 IP 192.168.2.234.64411 > 192.168.2.125.snmp:  C=world GetNextRequest(24)  system.sysUpTime 查询报文
12:13:01.215396 3c:46:d8:89:70:52 (oui Unknown) > Broadcast, RRCP-0x23 query
12:13:01.449712 STP 802.1d, Config, Flags [none], bridge-id 7fff.00:11:22:33:44:56.8001, length 35
12:13:02.215372 3c:46:d8:89:70:52 (oui Unknown) > Broadcast, RRCP-0x23 query
12:13:02.339996 ARP, Request who-has 192.168.1.16 tell 192.168.1.234, length 46
12:13:03.215351 3c:46:d8:89:70:52 (oui Unknown) > Broadcast, RRCP-0x23 query
12:13:03.449710 STP 802.1d, Config, Flags [none], bridge-id 7fff.00:11:22:33:44:56.8001, length 35
12:13:04.215327 3c:46:d8:89:70:52 (oui Unknown) > Broadcast, RRCP-0x23 query
12:13:05.215304 3c:46:d8:89:70:52 (oui Unknown) > Broadcast, RRCP-0x23 query
12:13:05.449706 STP 802.1d, Config, Flags [none], bridge-id 7fff.00:11:22:33:44:56.8001, length 35
12:13:05.899351 IP 192.168.2.234.64411 > 192.168.2.125.snmp:  C=world GetNextRequest(24)  system.sysUpTime  查询报文
12:13:06.215279 3c:46:d8:89:70:52 (oui Unknown) > Broadcast, RRCP-0x23 query
12:13:07.215260 3c:46:d8:89:70:52 (oui Unknown) > Broadcast, RRCP-0x23 query
^C
29 packets captured
29 packets received by filter
0 packets dropped by kernel

查询报文的次数在于你配置mib browser中retransmits的次数

允许通过为:

iptables -A INPUT -p udp -m udp --dport 161:162 -j ACCEPT

root@hbg:/# iptables -D INPUT 1
root@hbg:/# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        
root@hbg:/#
root@hbg:/#
root@hbg:/# iptables -A INPUT -p udp -m udp --dport 161:162 -j ACCEPT
root@hbg:/# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     udp  --  anywhere             anywhere             udp dpts:snmp:snmp-trap

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

root@hbg:/# tcpdump
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:15:55.211339 3c:46:d8:89:70:52 (oui Unknown) > Broadcast, RRCP-0x23 query
12:15:55.449706 STP 802.1d, Config, Flags [none], bridge-id 7fff.00:11:22:33:44:56.8001, length 35
12:15:55.629877 LLDP, length 138: TVWS
12:15:56.211318 3c:46:d8:89:70:52 (oui Unknown) > Broadcast, RRCP-0x23 query
12:15:57.211291 3c:46:d8:89:70:52 (oui Unknown) > Broadcast, RRCP-0x23 query
12:15:57.449708 STP 802.1d, Config, Flags [none], bridge-id 7fff.00:11:22:33:44:56.8001, length 35
12:15:58.211269 3c:46:d8:89:70:52 (oui Unknown) > Broadcast, RRCP-0x23 query
12:15:58.702348 ARP, Request who-has 192.168.2.125 tell 192.168.2.234, length 46
12:15:58.702588 ARP, Reply 192.168.2.125 is-at 00:11:22:33:44:56 (oui Unknown), length 28
12:15:58.703184 IP 192.168.2.234.58494 > 192.168.2.125.snmp:  C=world GetNextRequest(24)  system.sysUpTime   查询报文
12:15:58.704048 IP 192.168.2.125.snmp > 192.168.2.234.58494:  C=world GetResponse(28)  system.sysUpTime.0=304450  响应报文
12:15:59.211246 3c:46:d8:89:70:52 (oui Unknown) > Broadcast, RRCP-0x23 query
12:15:59.449711 STP 802.1d, Config, Flags [none], bridge-id 7fff.00:11:22:33:44:56.8001, length 35
12:16:00.211223 3c:46:d8:89:70:52 (oui Unknown) > Broadcast, RRCP-0x23 query
12:16:00.561467 IP 192.168.2.234.58496 > 192.168.2.125.snmp:  C=world GetRequest(31)  E:45138.3030.1.1.4.0    查询报文
12:16:00.598459 IP 192.168.2.125.snmp > 192.168.2.234.58496:  C=world GetResponse(35)  E:45138.3030.1.1.4.0=192.168.2.125  响应报文
12:16:01.211198 3c:46:d8:89:70:52 (oui Unknown) > Broadcast, RRCP-0x23 query
12:16:01.449707 STP 802.1d, Config, Flags [none], bridge-id 7fff.00:11:22:33:44:56.8001, length 35
12:16:02.211178 3c:46:d8:89:70:52 (oui Unknown) > Broadcast, RRCP-0x23 query
12:16:03.211152 3c:46:d8:89:70:52 (oui Unknown) > Broadcast, RRCP-0x23 query
12:16:03.449709 STP 802.1d, Config, Flags [none], bridge-id 7fff.00:11:22:33:44:56.8001, length 35
12:16:03.709734 ARP, Request who-has 192.168.2.234 tell 192.168.2.125, length 28
12:16:03.710467 ARP, Reply 192.168.2.234 is-at 54:ee:75:4a:37:b5 (oui Unknown), length 46
12:16:04.211128 3c:46:d8:89:70:52 (oui Unknown) > Broadcast, RRCP-0x23 query
12:16:05.211106 3c:46:d8:89:70:52 (oui Unknown) > Broadcast, RRCP-0x23 query
12:16:05.338555 ARP, Request who-has 192.168.1.16 tell 192.168.1.234, length 46
12:16:05.449709 STP 802.1d, Config, Flags [none], bridge-id 7fff.00:11:22:33:44:56.8001, length 35
12:16:06.211083 3c:46:d8:89:70:52 (oui Unknown) > Broadcast, RRCP-0x23 query
12:16:07.211060 3c:46:d8:89:70:52 (oui Unknown) > Broadcast, RRCP-0x23 query
12:16:07.449715 STP 802.1d, Config, Flags [none], bridge-id 7fff.00:11:22:33:44:56.8001, length 35
12:16:08.211035 3c:46:d8:89:70:52 (oui Unknown) > Broadcast, RRCP-0x23 query
12:16:09.211012 3c:46:d8:89:70:52 (oui Unknown) > Broadcast, RRCP-0x23 query
12:16:09.449709 STP 802.1d, Config, Flags [none], bridge-id 7fff.00:11:22:33:44:56.8001, length 35
^C
33 packets captured
34 packets received by filter
0 packets dropped by kernel