000039194 - How to create custom firewall rule to allow only NetWitness appliance IPs access to port TCP/15671

Document created by RSA Customer Support Employee on Aug 6, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000039194
Applies ToRSA Product Set: RSA NetWitness Logs & Network
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.4.x
Platform: CentOS
O/S Version: 7
IssueFor extra security, want to restrict certain TCP ports that are required by NetWitness to be accessible by only known NetWitness appliance IPs.
Like the RabbitMQ management port TCP/15671.
  1. Configure NetWitness to allow custom firewall rules, so the following changes will not be reverted.
    Follow the steps in RSA KB# How to add custom firewall rules after nwsetup-tui has completed in RSA NetWitness Logs & Network 11.x.
  2. Make a backup copy of the current iptables configuration file.
        cp -p /etc/sysconfig/iptables /etc/sysconfig/iptables.orig
  3. Create a "nwhosts" ipset and add all the NetWitness appliance IPs.
        ipset -N nwhosts iphash        # Create a new set name "nwhosts" of type iphash
        ipset -A nwhosts    # Repeat adding each IP to the set "nwhosts"

    Replace with the IP address of a NetWitness appliance and repeat this command for all NetWitness appliances.

    To show a list of NetWitness appliances known to the NW Admin Server run this command on the NW Admin Server,

        upgrade-cli-client --list |cut -d, -f2-3 |grep -v null
  4. Check all the added IPs exist in the "nwhosts" ipset.
        ipset list nwhosts

    See example output below,

    Name: nwhosts
    Type: hash:ip
    Revision: 1
    Header: family inet hashsize 1024 maxelem 65536
    Size in memory: 16544
    References: 0

  5. Change the iptables configuration file to use the newly created "nwhosts" ipset entries.
        cp -p /etc/sysconfig/iptables .

        vi ./iptables

    Change only the iptables line that refers to "--dports 15671" to appear like the line below,

    -A INPUT -p tcp -m tcp -m multiport --dports 15671 -m set --match-set nwhosts src -m comment --comment "rabbitmq-mgmt" -m conntrack --ctstate NEW -j ACCEPT

    Save the changes in the ./iptables file.
  6. Test the changes in the new ./iptables file.
        iptables-restore --test ./iptables

    If there is no output to this command, then there is no error in the file.
  7. Update the existing firewall rules with the new ./iptables rules.
        iptables-restore < ./iptables
  8. Confirm that the iptables service is now running with the new rule.
        iptables -L |grep 15671

    See example output below,

    ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports 15671 match-set nwhosts src /* rabbitmq-mgmt */ ctstate NEW
  9. Test the connection to port TCP/15671 still works from another NW appliance, by ssh login to another IP that was added to the "nwhosts" set.
        curl -v
See example output of successful connection below,

* About to connect() to port 15671 (#0)
*   Trying
* Connected to ( port 15671 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host:
> Accept: */*
* Empty reply from server
* Connection #0 to host left intact
curl: (52) Empty reply from server

An alternate command to test is,

    nc -nzv 15671

See example output of successful connection below,

Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connected to
Ncat: 0 bytes sent, 0 bytes received in 0.01 seconds.

Where is the IP address of the NetWitness Server with the modified iptables rule.
NotesIf IPv6 is used then repeat the above commands using the equivalent ip6tables commands.