TUT:source spoofing

If you need to send traps with an address other than one configured on one of your interfaces, you need to use a firewall to change the address in the packet once it has been sent. On Linux, this can be done with iptables NAT rules.

A user has contributed the following script, which dynamically creates/removes iptables rules as needed.

$  snmptrap-from [Source address] [snmpTrapOID] and possible parameter(s)

where snmptrap-from is a script which :

• adds POSTROUTING chain rules to set the give source ip for a trap sent to a (harcoded) destination
• calls snmptrap to send the trap

The script is:

#!/bin/bash
# ----------------------------------------------------------------------------------------
# This is a quick and dirty solution to allow sending snmp
# version 2 traps pretending that the trap comes from the equipment supposed
# to send it (The receiver MUST beleive that it comes from the real equipment).
#
# The only solution that was proposed (and possible) was source IP spoofing.
# As suggested by other contributors, the solution would be in using iptables
# (Mangle tables were proposed but this would not work) on the linux box
# where we originate the trap.
#
# The solution was to write a little front-end script that would take the required snmptrap
# parameters (the default values needed by Zeljko being hard coded in the script) + the
# required source IP address for the trap (the IP address that we will do spoofing with).
#
# The script must be run by 'root' user because it must manipulate the iptables.
# The snmptrap command path must be in the calling user $PATH variable.
#
# The script is overly simple, does not properly handle STRING parameters that should
# contain spaces and is certainly lacking other 'features'. It should, however, give
# you the idea ...
#
# ----------------------------------------------------------------------------------------


TRAP_RECEIVER="10.140.20.69"
TRAP_FIXED_PARAMS="-v 2c -c public"

# For some cloured outputs ....
ESC=`echo -e "\e"`
red="${ESC}[31m"
green="${ESC}[32m"
norm="${ESC}[0m"

# Must be run as root because it must modify ip tables
if [ `whoami` != "root" ]
then
        cat <<EOF
$red
Error:
You must be root to use this command !
Please execute 'sudo bash' first...
$norm
EOF
        exit 1
fi


if [ $# -lt 2 ]
then
        cat <<EOF
$red
Error:
This command requires arguments !
Arg 1: should be the trap source address (equipment address)
Arg 2 to Arg n: should be arguments valid for the 'snmptrap -v 2c' command
$norm
EOF
        exit 1
fi


# Simple, no checks on the parameter ! If it is not a proper IP, the iptables command will choke
# and give an error description.

SRC=$1
shift   # get rid of the first parameter (Source IP)
        # and let the snmptrap check the rest
        # Note: parameters like   's "This is a string"' or
        # 's \"This is a string\"' will not work.
        # Use 's This_is_a_string' or, if you need spaces, then correct this script ...


# Rule insertion
iptables -t nat -A POSTROUTING -d $TRAP_RECEIVER -p udp --dport 162 -j SNAT --to $SRC
rc=$?

if [ $rc -ne 0 ]
then
        cat <<EOF
$red
Error:
iptables rules installation failed.
You probably did not supply a proper source IP address.
Please refer to the error messages from the iptables command above ...
$norm
EOF
        # for extra safety !
        iptables -t nat -A POSTROUTING -d $TRAP_RECEIVER -p udp --dport 162 -j SNAT --to $SRC &>/dev/null
        exit 1
fi

snmptrap $TRAP_FIXED_PARAMS $TRAP_RECEIVER '' $*
rc=$?

if [ $rc -ne 0 ]
then
        cat <<EOF
$red
Error:
snmptrap command failed !!! Trap was not sent.
Please refer to the error messages from the snmptrap command above ...
$norm
EOF
else
        cat <<EOF
$green
Command OK. It was sent as:

    snmptrap $TRAP_FIXED_PARAMS $TRAP_RECEIVER '' $*
$norm
EOF
fi

# Leave some time to be sure snmptrap went thru iptables filters
[ $rc -eq 0 ] && sleep 2

# Remove the current rules
iptables -t nat -D POSTROUTING -d ${TRAP_RECEIVER} -p udp --dport 162 -j SNAT --to $SRC

exit $rc