Worked Example Taken from an RSA Test environment.
Server | Real IP Address | Public (NAT IP Address) | SA Server (puppetmaster.local) | 192.168.123.3 | 172.16.0.3 | Remote Log Collector (rvlc1) | 172.18.0.105 | 172.16.0.15 | Local Log Collector* (logdec1) | 192.168.123.4 | 172.16.0.4 |
* Note: Local Log Collector is understood to be Log Decoder appliance in the same subnet as the SA Server which also includes a log collector service.
SA Server
In /etc/hosts, puppetmaster.local points to 127.0.0.1 (IPv4 loopback address).
# cat /etc/hosts # Created by NetWitness Installer on Mon Dec 28 23:14:57 UTC 2015 127.0.0.1 SASERVER localhost localhost.localdomain localhost4 localhost4.localdomain4 puppetmaster.local ::1 SASERVER localhost localhost.localdomain localhost6 localhost6.localdomain6
172.16.0.15 rvlc1
You can either view iptables NAT forward rules using Remote Log Collector being added to the SA server's iptables: Note: Local Log Collector is in the same subnet as SA server so no rule is needed
# iptables -L -nv -t nat
Or by examining iptables configuration file directly (below example shows
# cat /etc/sysconfig/iptables # Generated by iptables-save v1.4.7 on Mon Feb 23 11:04:55 2015 *nat :PREROUTING ACCEPT [8:480] :POSTROUTING ACCEPT [38:2270] :OUTPUT ACCEPT [38:2270] -A OUTPUT -d 172.18.0.105/32 -p tcp -m tcp --dport 5671 -j DNAT --to-destination 172.16.0.15:5671 -A OUTPUT -d 172.18.0.105/32 -p tcp -m tcp --dport 56001 -j DNAT --to-destination 172.16.0.15:56001 -A OUTPUT -d 172.18.0.105/32 -p tcp -m tcp --dport 56006 -j DNAT --to-destination 172.16.0.15:56006 COMMIT # Generated by iptables-save v1.4.7 on Fri Sep 12 16:38:25 2014 *filter :INPUT ACCEPT [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -p tcp -m multiport --ports 5671 -m comment --comment "1 AMQPS" -j ACCEPT -A INPUT -p tcp -m multiport --ports 50006 -m comment --comment "1 Appliance Port" -j ACCEPT -A INPUT -p tcp -m multiport --ports 8140 -m comment --comment "1 Puppet Port" -j ACCEPT -A INPUT -p tcp -m multiport --ports 443 -m comment --comment "1 SA Port" -j ACCEPT -A INPUT -p tcp -m multiport --ports 50106 -m comment --comment "2 Appliance REST Port" -j ACCEPT -A INPUT -p tcp -m multiport --ports 61614 -m comment --comment "2 STOMP Port" -j ACCEPT -A INPUT -p tcp -m multiport --ports 80 -m comment --comment "2 Yum Port" -j ACCEPT -A INPUT -p tcp -m multiport --ports 56006 -m comment --comment "3 Appliance Service Port" -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 192.168.123.27/32 -p udp -m udp --dport 161 -j ACCEPT -A INPUT -s 192.168.123.27/32 -p tcp -m tcp --dport 161 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 50006 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 50106 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 60007 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 8443 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 51024:51033 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 137 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 138 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 50010 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Fri Sep 12 16:38:25 2014
Iptables on Remote VLC behind NAT In /etc/hosts, puppetmaster.local points to 172.16.0.4
# cat /etc/hosts # Created by NetWitness Installer on Tue Dec 29 01:38:14 UTC 2015 127.0.0.1 REMOTEVLCNAT localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 REMOTEVLCNAT localhost localhost.localdomain localhost6 localhost6.localdomain6
172.16.0.3 puppetmaster.local 172.16.0.4 logdec1
Examining iptables configuration file:
# cat /etc/sysconfig/iptables # Generated by iptables-save v1.4.7 on Wed Feb 25 15:56:50 2015 *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A OUTPUT -d 192.168.123.3/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.16.0.3:80 -A OUTPUT -d 192.168.123.3/32 -p tcp -m tcp --dport 5671 -j DNAT --to-destination 172.16.0.3:5671 -A OUTPUT -d 192.168.123.3/32 -p tcp -m tcp --dport 8140 -j DNAT --to-destination 172.16.0.3:8140 -A OUTPUT -d 192.168.123.3/32 -p tcp -m tcp --dport 56001 -j DNAT --to-destination 172.16.0.3:56001 -A OUTPUT -d 192.168.123.3/32 -p tcp -m tcp --dport 61614 -j DNAT --to-destination 172.16.0.3:61614 -A OUTPUT -d 192.168.123.3/32 -p udp -m udp --dport 123 -j DNAT --to-destination 172.16.0.3:123 -A OUTPUT -d 192.168.123.4/32 -p tcp -m tcp --dport 56001 -j DNAT --to-destination 172.16.0.4:5671 -A OUTPUT -d 192.168.123.4/32 -p tcp -m tcp --dport 56001 -j DNAT --to-destination 172.16.0.4:56001 COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [14:1624] -A INPUT -p tcp -m multiport --ports 5671 -m comment --comment "1 AMQPS" -j ACCEPT -A INPUT -p tcp -m multiport --ports 50006 -m comment --comment "1 Appliance Port" -j ACCEPT -A INPUT -p tcp -m multiport --ports 50001 -m comment --comment "1 LogCollector Port" -j ACCEPT -A INPUT -p tcp -m multiport --ports 50106 -m comment --comment "2 Appliance REST Port" -j ACCEPT -A INPUT -p tcp -m multiport --ports 50101 -m comment --comment "2 LogCollector REST Port" -j ACCEPT -A INPUT -p tcp -m multiport --ports 56006 -m comment --comment "3 Appliance Service Port" -j ACCEPT -A INPUT -p tcp -m multiport --ports 56001 -m comment --comment "3 New LogCollector Port" -j ACCEPT -A INPUT -p tcp -m multiport --ports 514 -m comment --comment "4 Syslog TCP Port" -j ACCEPT -A INPUT -p udp -m multiport --ports 514 -m comment --comment "4 Syslog UDP Port" -j ACCEPT -A INPUT -p udp -m multiport --ports 162 -m comment --comment "4 UDP 162 Port" -j ACCEPT -A INPUT -p udp -m multiport --ports 2055 -m comment --comment "4 UDP 2055 Port" -j ACCEPT -A INPUT -p udp -m multiport --ports 4739 -m comment --comment "4 UDP 4739 Port" -j ACCEPT -A INPUT -p udp -m multiport --ports 6343 -m comment --comment "4 UDP 6343 Port" -j ACCEPT -A INPUT -p udp -m multiport --ports 9995 -m comment --comment "4 UDP 9995 Port" -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 8140 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 50006 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 50106 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 56006 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 5671 -j ACCEPT -A INPUT -p udp -m state --state INVALID -m udp --dport 514 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 56001 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 50001 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 50101 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 514 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 514 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 162 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 9995 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 6343 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 4739 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 2055 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Wed Sep 10 10:26:28 2014
Iptables on Local Log Collector In /etc/hosts, puppetmaster.local points to 192.168.123.4 (as the same subnet as SA server)
# cat /etc/hosts # Created by NetWitness Installer on Tue Dec 29 01:38:14 UTC 2015 127.0.0.1 LOGDECODER1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 LOGDECODER1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.123.3 puppetmaster.local 172.16.0.15 rvlc1
Examining iptables configuration file (which has the nat rules to reference NAT address of Remote VLC):
# cat /etc/sysconfig/iptables # Generated by iptables-save v1.4.7 on Mon Feb 23 11:04:55 2015 *nat :PREROUTING ACCEPT [8:480] :POSTROUTING ACCEPT [38:2270] :OUTPUT ACCEPT [38:2270] -A OUTPUT -d 172.18.0.105/32 -p tcp -m tcp --dport 5671 -j DNAT --to-destination 172.16.0.5:5671 -A OUTPUT -d 172.18.0.105/32 -p tcp -m tcp --dport 56001 -j DNAT --to-destination 172.16.0.5:56001 COMMIT *filter :INPUT ACCEPT [4:378] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [2:242] -A INPUT -p tcp -m multiport --ports 5671 -m comment --comment "1 AMQPS" -j ACCEPT -A INPUT -p tcp -m multiport --ports 50006 -m comment --comment "1 Appliance Port" -j ACCEPT -A INPUT -p tcp -m multiport --ports 50001 -m comment --comment "1 LogCollector Port" -j ACCEPT -A INPUT -p tcp -m multiport --ports 50002 -m comment --comment "1 LogDecoder Port" -j ACCEPT -A INPUT -p tcp -m multiport --ports 50020 -m comment --comment "1 WarehouseConnector Port" -j ACCEPT -A INPUT -p tcp -m multiport --ports 50106 -m comment --comment "2 Appliance REST Port" -j ACCEPT -A INPUT -p tcp -m multiport --ports 50101 -m comment --comment "2 LogCollector REST Port" -j ACCEPT -A INPUT -p tcp -m multiport --ports 50102 -m comment --comment "2 LogDecoder REST Port" -j ACCEPT -A INPUT -p tcp -m multiport --ports 50120 -m comment --comment "2 WarehouseConnector REST Port" -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 9995 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 6343 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 4739 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 2055 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 162 -j ACCEPT -A INPUT -p udp -m state --state INVALID -m udp --dport 514 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 514 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 514 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 5671 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 56001 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 50101 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 50001 -j ACCEPT -A INPUT -p tcp -m multiport --ports 56006 -m comment --comment "3 Appliance Service Port" -j ACCEPT -A INPUT -p tcp -m multiport --ports 56001 -m comment --comment "3 New LogCollector Port" -j ACCEPT -A INPUT -p tcp -m multiport --ports 56002 -m comment --comment "3 New LogDecoder Port" -j ACCEPT -A INPUT -p tcp -m multiport --ports 56020 -m comment --comment "3 New WarehouseConnector Port" -j ACCEPT -A INPUT -p tcp -m multiport --ports 514 -m comment --comment "4 Syslog TCP Port" -j ACCEPT -A INPUT -p udp -m multiport --ports 514 -m comment --comment "4 Syslog UDP Port" -j ACCEPT -A INPUT -p udp -m multiport --ports 162 -m comment --comment "4 UDP 162 Port" -j ACCEPT -A INPUT -p udp -m multiport --ports 2055 -m comment --comment "4 UDP 2055 Port" -j ACCEPT -A INPUT -p udp -m multiport --ports 4739 -m comment --comment "4 UDP 4739 Port" -j ACCEPT -A INPUT -p udp -m multiport --ports 6343 -m comment --comment "4 UDP 6343 Port" -j ACCEPT -A INPUT -p udp -m multiport --ports 9995 -m comment --comment "4 UDP 9995 Port" -j ACCEPT COMMIT # Completed on Mon Feb 23 11:04:55 2015
If the host does not enable, confirm that the proper nat'd IP is configured in /etc/puppet/csr_attributes.yaml.
If the concentrator does not establish a connection to the decoder over the local IP for aggregation, add the decoder's local IP via explore. The local IP may not be seen in the list of decoders for aggregation because the nat'd IP was configured to establish a connection with the SA server.
Service > Concentrator > tool icon - View - Explore > Right click Concentrator > Properties > Select add in the dropdown list> In Parameters type:
device= <local-IP-of-the-decoder>:<port-of-decoder> username=<service-account-username> password=<service-account-password>
> click the send button
i.e. device=192.168.0.1:50002 username=admin password=netwitness or device=192.168.0.1:56002 username=admin password=netwitness ssl=true
|