How to enable iptables rules for VSFTPD file reader collection in NetWitness

Issue

Specific iptables rules must be added in order to allow files to be collected via VSFTPD.

Resolution

1. Connect to either the VLC or Log Decoder (depending on where the logs are sent) via SSH as the root user.
2. Stop the iptables service.
   
   [root@NW12-LOG-HYBRID ~]# systemctl stop iptables
3. Using the vi editor, include the lines in red below in the /etc/sysconfig/iptables file anywhere after “:OUTPUT ACCEPT [nn:nn]” parameter and before the "COMMIT" line.
   :OUTPUT ACCEPT [0:0]
   -A INPUT -m comment --comment "000 INPUT allow related and established" -m state --state RELATED,ESTABLISHED -j ACCEPT
   -A INPUT -p icmp -m comment --comment "001 accept all icmp requests" -j ACCEPT
   -A INPUT -i lo -p tcp -m comment --comment "002 INPUT allow loopback" -j ACCEPT
   -A INPUT -p tcp -m multiport --ports 5671 -m comment --comment "1 AMQPS" -j ACCEPT
   -A INPUT -p tcp -m multiport --ports 50006 -m comment --comment "1 Appliance Port" -j ACCEPT
   -A INPUT -p tcp -m multiport --ports 50001 -m comment --comment "1 LogCollector Port" -j ACCEPT
   -A INPUT -p tcp -m multiport --dports 21 -m comment --comment "VSFTP connection" -m state --state NEW -j ACCEPT
   -A INPUT -p tcp -m multiport --dports 20 -m comment --comment "VSFTP File Transfer" -m state --state NEW -j ACCEPT
   -A INPUT -p tcp -m tcp --sport 1024:65535 --dport 20:65535 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
   -A OUTPUT -p tcp -m multiport --dport 21 -m comment --comment "VSFTP Connect 2" -m state --state NEW -j ACCEPT
   -A OUTPUT -p tcp -m multiport --dport 20 -m comment --comment "VSFTP Transfer 2 " -m state --state NEW -j ACCEPT
   -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 20:65535 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
   A INPUT -j DROP
   -A FORWARD -j DROP
   -A OUTPUT -j ACCEPT
   COMMIT
4. Save the /etc/sysconfig/iptables file by typing :wq! in the vi editor.
5. Start the iptables service again.
   [root@NW12-LOG-HYBRID ~]# systemctl start iptables 
6. Confirm the rules are now loaded:
   
   [root@NW12-LOG-HYBRID ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT tcp -- anywhere anywhere tcp multiport dports ssh /* SSH */ ctstate NEW
ACCEPT udp -- anywhere anywhere udp multiport dports ntp /* ntp */ ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp multiport dports amqps /* rabbitmq-amqp */ ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp multiport dports 15671 /* rabbitmq-mgmt */ ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp multiport dports 50006,50106,56006 /* nwappliancePorts */ ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp multiport dports dpserve /* NodeInfraServerPort */ ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp multiport dports 50005,50105,56005 /* nwconcentratorPorts */ ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp multiport dports syslog-tls,50002,50102,50202,56002,56202 /* nwlogdecoderPorts */ ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp multiport dports shell,amqps,syslog-tls,50001,50101,56001 /* nwlogcollectorTcpPorts */ ctstate NEW
ACCEPT udp -- anywhere anywhere udp multiport dports snmptrap,syslog,iop,ipfix,sflow,palace-4 /* nwlogcollectorUdpPorts */ ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp multiport dports ftp,64000,64001,64002,64003,64004,64005,64006,64007,64008,64009 /* nwlogcollectorFTPSPorts */ ctstate NEW
ACCEPT tcp -- anywhere anywhere multiport dports ftp /* VSFTP connection */ state NEW
ACCEPT tcp -- anywhere anywhere multiport dports ftp-data /* VSFTP File Transfer */ state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:ftp-data:65535 ctstate NEW,ESTABLISHED
DROP all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere multiport dports ftp /* VSFTP Connect 2 */ state NEW
ACCEPT tcp -- anywhere anywhere multiport dports ftp-data /* VSFTP Transfer 2 */ state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:ftp-data:65535 ctstate NEW,ESTABLISHED
ACCEPT all -- anywhere anywhere
7. Using an FTP client such as FileZilla, try connecting to the appliance and transferring a dummy file, which should be successful.

If you are unsure of any of the steps above or experience any issues, contact NetWitness Support and quote this article number for further assistance.

Notes

To ensure the firewall rules are not overwritten during upgrades or nw-manage commands, please do the following:

Add a customer-firewall line to the /etc/netwitness/config-management/environments/netwitness.json file, which contains persistent data about the environment, by performing the steps below, which has to be applied to all hosts where we want to configure custom firewalls rules, otherwise, the firewall rules will not persist. 

1. Connect to the host via SSH.
2. Update the netwitness.json file, adding the customer-firewall line from the example below:

   The line needs to go between the global header and the mongo sub-header (Please ensure to add a comma at the end of the line).

   # vi /etc/netwitness/config-management/environments/netwitness.json
   "global" : {
         "customer-firewall" : true,
         "mongo" : {

Product Details

NetWitness Product Set: NetWitness Logs & Network 
NetWitness Product/Service Type: Log Collector, Log Decoder
NetWitness Version/Condition: 11.x , 12.x
Platform: CentOS , AlmaLinux

Summary

Specific iptable rules must be added in order to allow files to be collected via VSFTPD.

Approval Reviewer Queue

Technical approval queue