fixes #2

modules/qualifying/learning_centralized_system_monitoring.md

@@ -415,3 +415,25 @@ If all of this is working it's time to stop offering version 1 and version 2.
 This is again done on the **client** in the `/etc/snmp/snmpd.conf` file.
 Locate the line starting with `rocommunity` and comment them out.
 Restart the service and now you're only offering v3 connections!
+
+### Additional security with iptables
+
+We have not seen iptables yet, but it's the main program in Linux to control incoming and outgoing connections.
+Finally, we could ensure that no one except us can access SNMP form outside. The simplest way to achieve this is to add some firewall rules with iptables.
+To ensure the iptable configuration will be loaded automatically install the following package in addition:
+apt-get install iptables-persistent
+This ensures that the iptable rules are automatically loaded after a reboot of the system, the rules will be loaded from a persistent stored file. To trigger an update of the currently used iptables of the system run one of the following commands:
+
+```
+iptables-save > /etc/iptables/rules.v4
+ip6tables-save > /etc/iptables/rules.v6
+```
+
+Now we could add 4 new iptables entries to allow only access from our external system and block all other ones. Do not forget to replace 11.11.11.11 with your ip address or range.
+
+```
+iptables -A INPUT -s 11.11.11.11 -p udp -m udp --dport 161 -j ACCEPT
+iptables -A INPUT -s 11.11.11.11 -p udp -m udp --dport 162 -j ACCEPT
+iptables -A INPUT -p udp -m udp --dport 161 -j DROP
+iptables -A INPUT -p udp -m udp --dport 162 -j DROP
+```