Snmpd Listen to Specific IP Address ( BIND To Selected Interfaces )

by nixCraft on August 6, 2009 · 6 comments· last updated at August 6, 2009

How do I force SNMP (Simple Network Management Protocol) network management software to listen on public interfaces under RHEL / RedHat / Fedora / CentOS Linux server?

net-snmp comes with snmpd server which is an SNMP agent which binds to a port and awaits requests from SNMP management software. By default it binds to localhost (127.0.0.1) only.

snmpd can be configured to listens for incoming SNMP requests on UDP port 161 on all IPv4 interfaces or selected interface using the -x option. A listening address takes the form:

 [<transport-specifier>:]<transport-address>

Few Examples

       127.0.0.1:161           listen on UDP port 161, but only on the loopback interface.  This prevents snmpd being queried  remotely.   The
                               port specification ":161" is not strictly necessary since that is the default SNMP port.
       TCP:1161                listen on TCP port 1161 on all IPv4 interfaces.
       ipx:/40000              listen on IPX port 40000 on all IPX interfaces.
       unix:/tmp/local-agent   listen on the Unix domain socket /tmp/local-agent.
       /tmp/local-agent        is  identical  to  the  previous  specification, since the Unix domain is assumed if the first character of the
                                is '/'.
       PVC:161                 listen on the AAL5 permanent virtual circuit with VPI=0 and VCI=161 (decimal) on the first ATM adapter  in  the
                               machine.
       udp6:10161              listen on port 10161 on all IPv6 interfaces.

CentOS / RHEL / Fedora Linux Specific Configuration

Edit /etc/sysconfig/snmpd.options, enter:
# vi /etc/sysconfig/snmpd.options
Uncomment OPTIONS line. Add -x option as follows to listen on default port 161 and IP 127.0.0.1 and 192.168.1.254

OPTIONS="-Lsd -Lf /dev/null -p /var/run/snmpd.pid -a -x 127.0.0.1 192.168.1.254"

Save and close the file. Reload the changes:
# service snmpd reload
Update /etc/sysconfig/iptables firewall configuration to allow communication at udp port 161:
# vi /etc/sysconfig/iptables
Only accept connection only from 192.168.1.0/24 to UDP port 161, enter:

-A RH-Firewall-1-INPUT -p udp s 192.168.1.0/24 -m udp --dport 161 -j ACCEPT

Finally, restart iptables service:
# service iptables restart
You may also need to update your /etc/snmp/snmpd.conf to setup correct public community and other ACL settings. Refer snmpd.conf man page for more details.

You should follow me on twitter here or grab rss feed to keep track of new changes.

Featured Articles:

{ 6 comments… read them below or add one }

1 phignuton August 7, 2009 at 4:54 pm

This can also be done using the agentaddress directive in the snmpd.conf:

agentaddress 10.1.1.1

will bind the agent to the specified IP address.

2 Tim January 19, 2010 at 6:16 am

Thanks

3 Dave October 20, 2010 at 10:10 am

The CentOS specific instructions here aren’t quite correct. By default, snmpd listens on port 199 (and this service doesn’t seem to be what you would expect either). I have tested this on CentOS and RHEL 5.3.

When specifying -x and IP addresses, make sure you use 127.0.0.1:161 instead of just 127.0.0.1.

Also, the syntax given in the example of specifying two IP addresses does not work. Only the first one is chosen. If you specify -x twice with different IP addresses, only the second one is chosen. You can use 0.0.0.0:161 to listen on all network interfaces.

Lastly, the “reload” command does not cause the daemon to listen on a newly configured IP address or port. The “restart” command does.

4 Vimo December 17, 2010 at 12:25 pm

Dear Gentleman,

I have a RHEL5.5 server that has snmp installed(Version is net-snmp-5.3.2.2-9.el5_5.1). This server has 5 n/w interfaces with diferent ip’s. My problem is when i try snmpwalk on to the main interface, in my case “bond0″ with the assigned ip address there is no response.
eg: snmpwalk v2c -c nature 172.17.241.190
No Response from 172.17.241.190
But when i run the same query with “localhost” snmpd responds.
eg: snmpwalk v2c -c nature localhost

There is no n/w level restrictions on this server. My nic related info is as follows..

bond0 Link encap:Ethernet HWaddr B8:AC:6F:89:DA:60
inet addr:172.17.241.190 Bcast:172.17.241.255 Mask:255.255.255.0
inet6 addr: fe80::baac:6fff:fe89:da60/64 Scope:Link
UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1
RX packets:75293702 errors:0 dropped:0 overruns:0 frame:0
TX packets:44772321 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2009603615 (1.8 GiB) TX bytes:514353749 (490.5 MiB)

eth0 Link encap:Ethernet HWaddr B8:AC:6F:89:DA:60
UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1
RX packets:58079382 errors:0 dropped:0 overruns:0 frame:0
TX packets:44772321 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:976741407 (931.4 MiB) TX bytes:514353749 (490.5 MiB)
Interrupt:114 Memory:d6000000-d6012800

eth4 Link encap:Ethernet HWaddr B8:AC:6F:89:DA:60
UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1
RX packets:17214320 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1032862208 (985.0 MiB) TX bytes:0 (0.0 b)
Memory:df380000-df3a0000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1462105 errors:0 dropped:0 overruns:0 frame:0
TX packets:1462105 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:88459687 (84.3 MiB) TX bytes:88459687 (84.3 MiB)

I tried the above mentioned options by vivek and Dave but no luck. Please advice gentleman.

5 Tim Boyer January 13, 2011 at 1:42 am: What’s /etc/snmp/snmpd.conf look like?
rocommunity testing 127.0.0.1
will allow from localhost, but not any other ip address.
And don’t forget to restart snmpd…
Reply

6 Mike January 4, 2012 at 6:19 pm