Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Advanced Iptables Rules Examples

 

You can configure your iptables rules to better control access to JSA, restrict inbound data sources, and redirect traffic. The following examples can help you to gain better insight to your network, by manually adjusting your iptables.

Blocking Iptables Access to SSH

Consoles and unmanaged hosts allow SSH from any inbound request. When a host is added to the deployment, the consoles allow SSH access from the JSA console, and the console keeps port 22 open for inbound connections. You can limit the inbound connections on port 22 by modifying a host's iptables rules.

You can block SSH access from other managed hosts on your console, which can break encrypted connections.

Enabling ICMP to JSA Systems

You can enable ping responses from your JSA system by adding the following rule to the /opt/qradar/conf/iptables.pre file.

Run the following script to create an entry in the /etc/sysconfig/iptables file.

Note

You can limit this rule to a specific host by adding the -s source.ip.address field.

Blocking Unwanted Data Sources

You can block out a data source such as a log source or a netflow data source, for a short time, rather than disabling the original device. To block a particular host, you can add an entry similar to the following to /opt/qradar/conf/iptables.pre.

Block a netflow from the router:

-A INPUT -p udp -s <IP Address> --dport 2055 -j REJECT

Block a syslog from another source:

-A INPUT -p tcp -s <IP Address> --dport 514 -j REJECT -A INPUT -p udp -s <IP Address> --dport 514 -j REJECT

Block a syslog from a specific subnet:

-A INPUT -p tcp -s <IP Address> --dport 514 -j REJECT -A INPUT -p udp -s <IP Address> --dport 514 -j REJECT

Redirecting Iptables to Syslog Ports

You can redirect syslog traffic on non-standard ports into port 514 on a JSA Event Collector.You can use the following steps to enable an iptables rule to redirect the alternative port back into 514 on the Event Collector.

  1. Enable the NAT option in the Linux kernel by adding or updating the following line in the /etc/sysctl.conf file.

    Note

    For changes to take effect to the NAT rule, you might need to restart your service.

  2. Enable ipforwarding in the current active kernel.

  3. Add the following lines to the /opt/qradar/conf/iptables-nat.post. Enter the port number that you want to redirect as the <portnumber>.

    -A PREROUTING -p udp --dport <portnumber> -j REDIRECT --to-ports 514

    -A PREROUTING -p tcp --dport <portnumber> -j REDIRECT --to-ports 514

  4. Enter the following command to rebuild your iptables.

    /opt/qradar/bin/iptables_update.pl

  5. Verify the redirection by typing the following command.

    iptables -nvL -t nat

    The following code is an example of what the output might look like.

    Chain PREROUTING (policy ACCEPT 140 packets, 8794 bytes) pkts bytes target prot opt in out source destination 0 0 REDIRECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:10529 redir ports 514 0 0 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:10529 redir ports 514 Chain POSTROUTING (policy ACCEPT 207 packets, 25772 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 207 packets, 25772 bytes) pkts bytes target prot opt in out source destination

Redirecting Inbound Syslog Traffic

You can use your JSA console as a syslog message gateway to redirect inbound events, by configuring rules in iptables.

  1. Enable the forwarding rule for a log source on your Event Collector.

  2. Set the forwarding destination for the TCP syslog to be the console IP address on port 7780.

  3. From the command line of the console, add the following iptables rule to redirect to another host.

    iptables -I OUTPUT --src 0/0 --dst 153.2.200.80 -p

    tcp --dport 7780 -j REDIRECT --to-ports 514

Configuring Iptables Rules

Access to the JSA network services is controlled first on hosts with iptables. The iptables rules are adjusted and configured based on the requirements of the deployment. Ports for Ariel searching, streaming, and times when you are using encryption (tunneling) can update various iptables rules.

You can configure and check iptables rules for IPv4 and IPv6. The following procedure indicates how you can tune your iptables manually.

  1. Log in to JSA as the root user by using SSH.

    Login: <root>

    Password: <password>

  2. Type the following command to edit the pre rules iptables file:

    IPv4:

    vi /opt/qradar/conf/iptables.pre

    IPv6:

    vi /opt/qradar/conf/ip6tables.pre

    The iptables.pre configuration file is displayed.

  3. Type the following command to edit the post rules iptables file:

    IPv4:

    vi /opt/qradar/conf/iptables.post

    IPv6:

    vi /opt/qradar/conf/ip6tables.post

    The iptables.post configuration file is displayed.

  4. Add the following rule for JSA to access a specific port number, where portnumber is the port number:

    To accept UDP traffic for a specific port input:

    -A INPUT -m udp -p udp --dport <portnumber> -j ACCEPT

    To accept TCP traffic for a specific port input:

    -A INPUT -m state --state NEW -m tcp -p tcp --dport <portnumber> -j ACCEPT

  5. Save your iptables configuration.
  6. Run the following script to propagate the changes:

    /opt/qradar/bin/iptables_update.pl

  7. Type the following commands to check for existing iptables:

    IPv4:

    iptables -L -n -v

    IPv6:

    ip6tables -L -n -v