TUT:source spoofing
From Net-SNMP Wiki
If you need to send traps with an address other than one configured on one of your interfaces, you need to use a firewall to change the address in the packet once it has been sent. On Linux, this can be done with iptables NAT rules.
A user has contributed the following script, which dynamically creates/removes iptables rules as needed.
$ snmptrap-from [Source address] [snmpTrapOID] and possible parameter(s)
where snmptrap-from is a script which :
- adds POSTROUTING chain rules to set the give source ip for a trap sent to a (harcoded) destination
- calls snmptrap to send the trap
The script is:
#!/bin/bash # ---------------------------------------------------------------------------------------- # This is a quick and dirty solution to allow sending snmp # version 2 traps pretending that the trap comes from the equipment supposed # to send it (The receiver MUST beleive that it comes from the real equipment). # # The only solution that was proposed (and possible) was source IP spoofing. # As suggested by other contributors, the solution would be in using iptables # (Mangle tables were proposed but this would not work) on the linux box # where we originate the trap. # # The solution was to write a little front-end script that would take the required snmptrap # parameters (the default values needed by Zeljko being hard coded in the script) + the # required source IP address for the trap (the IP address that we will do spoofing with). # # The script must be run by 'root' user because it must manipulate the iptables. # The snmptrap command path must be in the calling user $PATH variable. # # The script is overly simple and is certainly lacking other 'features'. It should, however, # give you the idea ... # ---------------------------------------------------------------------------------------- TRAP_RECEIVER="10.140.20.69" TRAP_FIXED_PARAMS="-v 2c -c public" # For some coloured outputs .... ESC=`echo -e "\e"` red="${ESC}[31m" green="${ESC}[32m" norm="${ESC}[0m" # Must be run as root because it must modify ip tables if [ `whoami` != "root" ] then cat <<EOF $red Error: You must be root to use this command ! Please execute 'sudo bash' first... $norm EOF exit 1 fi if [ $# -lt 2 ] then cat <<EOF $red Error: This command requires arguments ! Arg 1: should be the trap source address (equipment address) Arg 2 to Arg n: should be arguments valid for the 'snmptrap -v 2c' command $norm EOF exit 1 fi # Simple, no checks on the parameter ! If it is not a proper IP, the iptables command will choke # and give an error description. SRC=$1 shift # get rid of the first parameter (Source IP) # and let the snmptrap check the rest # Rule insertion iptables -t nat -A POSTROUTING -d $TRAP_RECEIVER -p udp --dport 162 -j SNAT --to $SRC rc=$? if [ $rc -ne 0 ] then cat <<EOF $red Error: iptables rules installation failed. You probably did not supply a proper source IP address. Please refer to the error messages from the iptables command above ... $norm EOF # for extra safety ! iptables -t nat -A POSTROUTING -d $TRAP_RECEIVER -p udp --dport 162 -j SNAT --to $SRC &>/dev/null exit 1 fi snmptrap $TRAP_FIXED_PARAMS $TRAP_RECEIVER '' "$@" rc=$? if [ $rc -ne 0 ] then cat <<EOF $red Error: snmptrap command failed !!! Trap was not sent. Please refer to the error messages from the snmptrap command above ... $norm EOF else cat <<EOF $green Command OK. It was sent as: snmptrap $TRAP_FIXED_PARAMS $TRAP_RECEIVER '' "$@" $norm EOF fi # Leave some time to be sure snmptrap went thru iptables filters [ $rc -eq 0 ] && sleep 2 # Remove the current rules iptables -t nat -D POSTROUTING -d ${TRAP_RECEIVER} -p udp --dport 162 -j SNAT --to $SRC exit $rc