000037864 - How to write iptable rules in Netwitness Platform 11.X appliances

Document created by RSA Customer Support Employee on Sep 2, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000037864
Applies ToRSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.X
Platform: CentOS
O/S Version: 7
 
IssueIn Netwitness 11.X appliances, editing /etc/sysconfig/iptables file using vi editor will not hold the changes permanently even after applying Netwitness.json settings
Tasksservice iptables restart command disappears recent changes made in iptables file.
ResolutionPlease use below steps to add custom rules in iptables.
  1. Run "iptables -L --line-numbers" command. This would list out the rules with line numbers.
       
         Sample output:


       #iptables -L --line-numbers
        Chain INPUT (policy DROP)
        num  target     prot opt source               destination
        1    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
        2    ACCEPT     all  --  anywhere             anywhere
        3    DROP       all  --  anywhere             anywhere             ctstate INVALID
        4    ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports domain /* dnsmasq-tcp-port */ ctstate NEW
        5    ACCEPT     udp  --  anywhere             anywhere             udp multiport dports domain /* dnsmasq-udp-port */ ctstate NEW
        6    ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports ssh /* SSH */ ctstate NEW
        7    ACCEPT     udp  --  anywhere             anywhere             udp multiport dports ntp /* ntp */ ctstate NEW
        8    ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports 4505,4506 /* salt master ports */ ctstate NEW
        9    ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports amqps /* rabbitmq-amqp */ ctstate NEW
        10   ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports 15671 /* rabbitmq-mgmt */ ctstate NEW
        11   ACCEPT     udp  --  anywhere             anywhere             udp multiport dports 50514 /* rsaAuditPorts */ ctstate NEW
        12   ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports 27017 /* mongo-listen-port */ ctstate NEW
        13   ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports http,https /* nginxPort */ ctstate NEW
        14   ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports 51114 /* rsasoc_re */ ctstate NEW
        15   ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports 50006,50106,56006 /* nwappliancePorts */ ctstate NEW
        16   ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports afs3-rmtsys /* LaunchPort */ ctstate NEW
        17   ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports afs3-errors /* LaunchPort */ ctstate NEW
        18   ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports talon-webserver /* LaunchPort */ ctstate NEW
        19   ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports talon-engine /* LaunchPort */ ctstate NEW
        20   ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports afs3-kaserver /* LaunchPort */ ctstate NEW
        21   ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports ups-onlinet /* LaunchPort */ ctstate NEW
        22   ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports afs3-vlserver /* LaunchPort */ ctstate NEW
        23   ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports afs3-prserver /* LaunchPort */ ctstate NEW
        24   ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports 50003,50103,56003 /* nwbrokerPorts */ ctstate NEW
        25   DROP       all  --  anywhere             anywhere

  2. Run  "iptables -I INPUT 25 -p udp -m udp --dport 161 -j ACCEPT" command to add new rule above DROP rule.
  3. Run "service iptables save" command.
  4. Verify the changes using below.

       # iptables -L --line-numbers
       Chain INPUT (policy DROP)
       num  target     prot opt source               destination
       1    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
       2    ACCEPT     all  --  anywhere             anywhere
       3    DROP       all  --  anywhere             anywhere             ctstate INVALID
       4    ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports domain /* dnsmasq-tcp-port */ ctstate NEW
       5    ACCEPT     udp  --  anywhere             anywhere             udp multiport dports domain /* dnsmasq-udp-port */ ctstate NEW
       6    ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports ssh /* SSH */ ctstate NEW
       7    ACCEPT     udp  --  anywhere             anywhere             udp multiport dports ntp /* ntp */ ctstate NEW
       8    ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports 4505,4506 /* salt master ports */ ctstate NEW
       9    ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports amqps /* rabbitmq-amqp */ ctstate NEW
       10   ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports 15671 /* rabbitmq-mgmt */ ctstate NEW
       11   ACCEPT     udp  --  anywhere             anywhere             udp multiport dports 50514 /* rsaAuditPorts */ ctstate NEW
       12   ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports 27017 /* mongo-listen-port */ ctstate NEW
       13   ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports http,https /* nginxPort */ ctstate NEW
       14   ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports 51114 /* rsasoc_re */ ctstate NEW
       15   ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports 50006,50106,56006 /* nwappliancePorts */ ctstate NEW
       16   ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports afs3-rmtsys /* LaunchPort */ ctstate NEW
       17   ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports afs3-errors /* LaunchPort */ ctstate NEW
       18   ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports talon-webserver /* LaunchPort */ ctstate NEW
       19   ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports talon-engine /* LaunchPort */ ctstate NEW
       20   ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports afs3-kaserver /* LaunchPort */ ctstate NEW
       21   ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports ups-onlinet /* LaunchPort */ ctstate NEW
       22   ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports afs3-vlserver /* LaunchPort */ ctstate NEW
       23   ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports afs3-prserver /* LaunchPort */ ctstate NEW
       24   ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports 50003,50103,56003 /* nwbrokerPorts */ ctstate NEW
       25   ACCEPT     udp  --  anywhere             anywhere             udp dpt:snmp
       26   DROP       all  --  anywhere             anywhere

Attachments

    Outcomes