Skip to content
  • There are no suggestions because the search field is empty.

How to create custom firewall rule to allow only NetWitness appliance IPs access to port TCP/15671

Issue

For extra security, want to restrict certain TCP ports that are required by NetWitness to be accessible by only known NetWitness appliance IPs.
Like the RabbitMQ management port TCP/15671.

Resolution

  1. Configure NetWitness to allow custom firewall rules, so the following changes will not be reverted.
    Follow the steps in RSA KB# How to add custom firewall rules after nwsetup-tui has completed in RSA NetWitness Logs & Network 11.x.
     
  2. Make a backup copy of the current iptables configuration file.
        cp -p /etc/sysconfig/iptables /etc/sysconfig/iptables.orig
     
  3. Create a "nwhosts" ipset and add all the NetWitness appliance IPs.
        ipset -N nwhosts iphash        # Create a new set name "nwhosts" of type iphash
        ipset -A nwhosts 1.2.3.4    # Repeat adding each IP to the set "nwhosts"

    Replace 1.2.3.4 with the IP address of a NetWitness appliance and repeat this command for all NetWitness appliances.

    To show a list of NetWitness appliances known to the NW Admin Server run this command on the NW Admin Server,

        upgrade-cli-client --list |cut -d, -f2-3 |grep -v null
     
  4. Check all the added IPs exist in the "nwhosts" ipset.
        ipset list nwhosts

    See example output below,

    Name: nwhosts
    Type: hash:ip
    Revision: 1
    Header: family inet hashsize 1024 maxelem 65536
    Size in memory: 16544
    References: 0
    Members:
    1.2.3.4
     
  5. Change the iptables configuration file to use the newly created "nwhosts" ipset entries.
        cp -p /etc/sysconfig/iptables .

        vi ./iptables

    Change only the iptables line that refers to "--dports 15671" to appear like the line below,

    -A INPUT -p tcp -m tcp -m multiport --dports 15671 -m set --match-set nwhosts src -m comment --comment "rabbitmq-mgmt" -m conntrack --ctstate NEW -j ACCEPT

    Save the changes in the ./iptables file.
     
  6. Test the changes in the new ./iptables file.
        iptables-restore --test ./iptables

    If there is no output to this command, then there is no error in the file.
     
  7. Update the existing firewall rules with the new ./iptables rules.
        iptables-restore < ./iptables
     
  8. Confirm that the iptables service is now running with the new rule.
        iptables -L |grep 15671

    See example output below,

    ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports 15671 match-set nwhosts src /* rabbitmq-mgmt */ ctstate NEW
     
  9. Test the connection to port TCP/15671 still works from another NW appliance, by ssh login to another IP that was added to the "nwhosts" set.
        curl -v 1.1.1.1:15671
     

See example output of successful connection below,

* About to connect() to 1.1.1.1 port 15671 (#0)
*   Trying 1.1.1.1...
* Connected to 1.1.1.1 (1.1.1.1) port 15671 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 1.1.1.1:15671
> Accept: */*
>
* Empty reply from server
* Connection #0 to host 1.1.1.1 left intact
curl: (52) Empty reply from server

An alternate command to test is,

    nc -nzv 1.1.1.1 15671

See example output of successful connection below,

Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connected to 1.1.1.1:15671.
Ncat: 0 bytes sent, 0 bytes received in 0.01 seconds.

Where 1.1.1.1 is the IP address of the NetWitness Server with the modified iptables rule.


Notes

If IPv6 is used then repeat the above commands using the equivalent ip6tables commands.


Product Details

RSA Product Set: RSA NetWitness Logs & Network
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.4.x
Platform: CentOS
O/S Version: 7

Summary

How to restrict TCP port access on NetWitness appliances to only NetWitness appliance IPs?


Approval Reviewer Queue

RSA NetWitness Suite Approval Queue