TMG SNMP support

Revision as of 12:09, 25 August 2010

This article explains how to configure iptables in order to seamlessly forward SNMP traffic from the TMG's management interface to the adapter and the other way around. This allows an external equipment to request SNMP information from the adapter by querying the TMG management interface's IP address.

In order to achieve most of the instructions in this article, you will need to login as root on your TMG (or an account with superuser privileges).

Collect information about your TMG

In order to setup iptables correctly, the following information is needed:

1. The IP address of the TMG's management interface (can be obtained using ifconfig eth0). If you are using DHCP, it is not needed.
2. The IP addresses of both the Linux host and the adapter on the internal interface:
   1. The host IP address can be obtained using ifconfig eth1.
   2. The adapter host IP address can be obtained by opening a shell to the adapter and using print_net.

A typical TMG setup will have the following configuration. This configuration will be used in the following instructions; replace the corresponding settings with your own.

• Management interface IP: DHCP
• Internal Linux IP: 172.31.1.2
• Internal adapter IP: 172.31.1.1

Installing net-snmp-utils (optional)

In order to test if SNMP is available, the snmpget tool is used on the TMG to verify if the SNMP feature is available and working from the adapter.

1. Install net-snmp-utils: yum install net-snmp-utils
2. Test SNMP: snmpget -d -v 1 -c public 172.31.1.1 SNMPv2-MIB::sysUpTime.0

Enabling IP forwarding

To enable IP forwarding permanently on the TMG, edit the /etc/sysctl.conf file and set the net.ipv4.ip_forward element to 1. For example:

 # Controls IP packet forwarding
 net.ipv4.ip_forward = 1

NOTE: A reboot is required to activate this setting. It is possible to enable it immediately by setting the contents of /proc/sys/net/ipv4/ip_forward to 1. For example: echo 1 > /proc/sys/net/ipv4/ip_forward

Installing iptables

To know if iptables is installed on your system, you may just invoke it on the command line (type iptables). If it is not installed:

• If the management interface has an Internet connection, use yum install iptables
• If no Internet connection is available and TBLinux is used, the iptables-1.4.1.1-1.tb1.ppc.rpm package must be downloaded from the TBLinux distribution packages site, uploaded to the TMG and installed using yum localinstall iptables-1.4.1.1-1.tb1.ppc.rpm

After installing iptables, you may see that no rules are set yet by using iptables -v -L

Configuring iptables

Run the following lines as root:

 iptables -t nat -A PREROUTING -p udp -i eth0 --dport 161 -j DNAT --to-destination 172.31.1.1
 iptables -t nat -A POSTROUTING -p udp -o eth1 --dport 161 -j MASQUERADE

OR run the following lines if you are not using DHCP and want to use SNAT instead of MASQUERADE:

 iptables -t nat -A PREROUTING -p udp -i eth0 --dport 161 -j DNAT --to-destination 172.31.1.1
 iptables -t nat -A POSTROUTING -p udp -o eth1 --dport 161 -j SNAT --to-source 172.31.1.2

Consult the added rules by using iptables -t nat -n -L

Permanently save the rules by using service iptables save

If everything worked, SNMP requests should be answered from the TMG's management interface.

References

• Wikipedia's iptables article
• Official iptables website
• man iptables