Resolution | - Configure NetWitness to allow custom firewall rules, so the following changes will not be reverted.
Follow the steps in RSA KB# How to add custom firewall rules after nwsetup-tui has completed in RSA NetWitness Logs & Network 11.x. - Make a backup copy of the current iptables configuration file.
cp -p /etc/sysconfig/iptables /etc/sysconfig/iptables.orig - Create a "nwhosts" ipset and add all the NetWitness appliance IPs.
ipset -N nwhosts iphash # Create a new set name "nwhosts" of type iphash ipset -A nwhosts 1.2.3.4 # Repeat adding each IP to the set "nwhosts" Replace 1.2.3.4 with the IP address of a NetWitness appliance and repeat this command for all NetWitness appliances. To show a list of NetWitness appliances known to the NW Admin Server run this command on the NW Admin Server, upgrade-cli-client --list |cut -d, -f2-3 |grep -v null - Check all the added IPs exist in the "nwhosts" ipset.
ipset list nwhosts See example output below, Name: nwhosts Type: hash:ip Revision: 1 Header: family inet hashsize 1024 maxelem 65536 Size in memory: 16544 References: 0 Members: 1.2.3.4 - Change the iptables configuration file to use the newly created "nwhosts" ipset entries.
cp -p /etc/sysconfig/iptables . vi ./iptables Change only the iptables line that refers to "--dports 15671" to appear like the line below, -A INPUT -p tcp -m tcp -m multiport --dports 15671 -m set --match-set nwhosts src -m comment --comment "rabbitmq-mgmt" -m conntrack --ctstate NEW -j ACCEPT Save the changes in the ./iptables file. - Test the changes in the new ./iptables file.
iptables-restore --test ./iptables If there is no output to this command, then there is no error in the file. - Update the existing firewall rules with the new ./iptables rules.
iptables-restore < ./iptables - Confirm that the iptables service is now running with the new rule.
iptables -L |grep 15671 See example output below, ACCEPT tcp -- anywhere anywhere tcp multiport dports 15671 match-set nwhosts src /* rabbitmq-mgmt */ ctstate NEW - Test the connection to port TCP/15671 still works from another NW appliance, by ssh login to another IP that was added to the "nwhosts" set.
curl -v 1.1.1.1:15671 See example output of successful connection below,
* About to connect() to 1.1.1.1 port 15671 (#0) * Trying 1.1.1.1... * Connected to 1.1.1.1 (1.1.1.1) port 15671 (#0) > GET / HTTP/1.1 > User-Agent: curl/7.29.0 > Host: 1.1.1.1:15671 > Accept: */* > * Empty reply from server * Connection #0 to host 1.1.1.1 left intact curl: (52) Empty reply from server
An alternate command to test is,
nc -nzv 1.1.1.1 15671
See example output of successful connection below,
Ncat: Version 7.50 ( https://nmap.org/ncat ) Ncat: Connected to 1.1.1.1:15671. Ncat: 0 bytes sent, 0 bytes received in 0.01 seconds.
Where 1.1.1.1 is the IP address of the NetWitness Server with the modified iptables rule. |