Advanced Iptables Rules Examples
You can configure your iptables rules to better control access to JSA, restrict inbound data sources, and redirect traffic. The following examples can help you to gain better insight to your network, by manually adjusting your iptables.
Blocking Access to SSH with Iptables
Consoles and unmanaged hosts allow SSH from any inbound request. When a host is added to the deployment, the managed hosts allow SSH access from the JSA console, and the console keeps port 22 open for inbound connections. You can limit the inbound connections on port 22 by modifying a host's iptables rules.
You can block SSH access from other managed hosts on your console, which can break encrypted connections.
-A INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 22 -s 10.100.50.41 -j ACCEPT -A INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 22 -s 10.100.50.59 -j ACCEPT -A INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 22 -j DROP
Enabling ICMP to JSA Systems
You can enable ping responses from your JSA system by adding the following rule to the /opt/qradar/conf/iptables.pre file.
-A INPUT -p icmp -j ACCEPT
Run the following script to create an entry in the /etc/sysconfig/iptables
file.
You can limit this rule to a specific host by adding the -s source.ip.address
field.
Blocking Unwanted Data Sources
You can block out a data source such as a log source or a netflow data source, for a short time, rather than disabling the original device. To block a particular host, you can add an entry similar to the following to /opt/qradar/conf/iptables.pre.
Block a netflow from the router:
-A INPUT -p udp -s <IP Address> --dport 2055 -j REJECT
Block a syslog from another source:
-A INPUT -p tcp -s <IP Address> --dport 514 -j REJECT -A INPUT -p udp -s <IP Address> --dport 514 -j REJECT
Block a syslog from a specific subnet:
-A INPUT -p tcp -s <IP Address> --dport 514 -j REJECT -A INPUT -p udp -s <IP Address> --dport 514 -j REJECT
Redirecting Iptables to Syslog Ports
You can redirect syslog traffic on non-standard ports into port 514 on a JSA Event Collector.You can use the following steps to enable an iptables rule to redirect the alternative port back into 514 on the Event Collector.
Enable the NAT option in the Linux kernel by adding or updating the following line in the /etc/sysctl.conf file.
net.ipv4.ip_forward = 1
Note:For changes to take effect to the NAT rule, you might need to restart your service.
Enable ipforwarding in the current active kernel.
echo 1 > /proc/sys/net/ipv4/ip_forward
Add the following lines to the /opt/qradar/conf/iptables-nat.post. Enter the port number that you want to redirect as the <portnumber>.
-A PREROUTING -p udp --dport <portnumber> -j REDIRECT --to-ports 514 -A PREROUTING -p tcp --dport <portnumber> -j REDIRECT --to-ports 514
Enter the following command to rebuild your iptables.
/opt/qradar/bin/iptables_update.pl
Verify the redirection by typing the following command.
iptables -nvL -t nat
The following code is an example of what the output might look like.
Chain PREROUTING (policy ACCEPT 140 packets, 8794 bytes) pkts bytes target prot opt in out source destination 0 0 REDIRECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:10529 redir ports 514 0 0 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:10529 redir ports 514 Chain POSTROUTING (policy ACCEPT 207 packets, 25772 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 207 packets, 25772 bytes) pkts bytes target prot opt in out source destination
Redirecting Inbound Syslog Traffic
You can use your JSA console as a syslog message gateway to redirect inbound events, by configuring rules in iptables.
Enable the forwarding rule for a log source on your Event Collector.
Set the forwarding destination for the TCP syslog to be the console IP address on port 7780.
From the command line of the console, add the following iptables rule to redirect to another host.
iptables -I OUTPUT --src 0/0 --dst 153.2.200.80 -p tcp --dport 7780 -j REDIRECT --to-ports 514
Configuring Iptables Rules
Access to the JSA network services is controlled first on hosts with iptables. The iptables rules are adjusted and configured based on the requirements of the deployment. Ports for Ariel searching, streaming, and times when you are using encryption (tunneling) can update various iptables rules.
You can configure and check iptables rules for IPv4 and IPv6. The following procedure indicates how you can tune your iptables manually.
Log in to JSA as the root user by using SSH.
Login: <root>
Password: <password>
Type the following command to edit the pre rules iptables file:
IPv4:
vi /opt/qradar/conf/iptables.pre
IPv6:
vi /opt/qradar/conf/ip6tables.pre
The iptables.pre configuration file is displayed.
Type the following command to edit the post rules iptables file:
IPv4:
vi /opt/qradar/conf/iptables.post
IPv6:
vi /opt/qradar/conf/ip6tables.post
The iptables.post configuration file is displayed.
Add the following rule for JSA to access a specific port number, where portnumber is the port number:
To accept UDP traffic for a specific port input:
-A INPUT -m udp -p udp --dport <portnumber> -j ACCEPT
To accept TCP traffic for a specific port input:
-A INPUT -m state --state NEW -m tcp -p tcp --dport <portnumber> -j ACCEPT
Save your iptables configuration.
Run the following script to propagate the changes:
/opt/qradar/bin/iptables_update.pl
Type the following commands to check for existing iptables:
IPv4:
iptables -L -n -v
IPv6:
ip6tables -L -n -v