Skip to content
  • There are no suggestions because the search field is empty.

How to write iptable rules in Netwitness Platform 11.X appliances

Issue

In Netwitness 11.X appliances, editing /etc/sysconfig/iptables file using vi editor will not hold the changes permanently even after applying  Netwitness.json settings

Tasks

service iptables restart command disappears recent changes made in iptables file.

Resolution

Please use below steps to add custom rules in iptables.
  1. Run "iptables -L --line-numbers" command. This would list out the rules with line numbers.
       
         Sample output:
    #iptables -L --line-numbers
    Chain INPUT (policy DROP)
    num target prot opt source destination
    1 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
    2 ACCEPT all -- anywhere anywhere
    3 DROP all -- anywhere anywhere ctstate INVALID
    4 ACCEPT tcp -- anywhere anywhere tcp multiport dports domain /* dnsmasq-tcp-port */ ctstate NEW
    5 ACCEPT udp -- anywhere anywhere udp multiport dports domain /* dnsmasq-udp-port */ ctstate NEW
    6 ACCEPT tcp -- anywhere anywhere tcp multiport dports ssh /* SSH */ ctstate NEW
    7 ACCEPT udp -- anywhere anywhere udp multiport dports ntp /* ntp */ ctstate NEW
    8 ACCEPT tcp -- anywhere anywhere tcp multiport dports 4505,4506 /* salt master ports */ ctstate NEW
    9 ACCEPT tcp -- anywhere anywhere tcp multiport dports amqps /* rabbitmq-amqp */ ctstate NEW
    10 ACCEPT tcp -- anywhere anywhere tcp multiport dports 15671 /* rabbitmq-mgmt */ ctstate NEW
    11 ACCEPT udp -- anywhere anywhere udp multiport dports 50514 /* rsaAuditPorts */ ctstate NEW
    12 ACCEPT tcp -- anywhere anywhere tcp multiport dports 27017 /* mongo-listen-port */ ctstate NEW
    13 ACCEPT tcp -- anywhere anywhere tcp multiport dports http,https /* nginxPort */ ctstate NEW
    14 ACCEPT tcp -- anywhere anywhere tcp multiport dports 51114 /* rsasoc_re */ ctstate NEW
    15 ACCEPT tcp -- anywhere anywhere tcp multiport dports 50006,50106,56006 /* nwappliancePorts */ ctstate NEW
    16 ACCEPT tcp -- anywhere anywhere tcp multiport dports afs3-rmtsys /* LaunchPort */ ctstate NEW
    17 ACCEPT tcp -- anywhere anywhere tcp multiport dports afs3-errors /* LaunchPort */ ctstate NEW
    18 ACCEPT tcp -- anywhere anywhere tcp multiport dports talon-webserver /* LaunchPort */ ctstate NEW
    19 ACCEPT tcp -- anywhere anywhere tcp multiport dports talon-engine /* LaunchPort */ ctstate NEW
    20 ACCEPT tcp -- anywhere anywhere tcp multiport dports afs3-kaserver /* LaunchPort */ ctstate NEW
    21 ACCEPT tcp -- anywhere anywhere tcp multiport dports ups-onlinet /* LaunchPort */ ctstate NEW
    22 ACCEPT tcp -- anywhere anywhere tcp multiport dports afs3-vlserver /* LaunchPort */ ctstate NEW
    23 ACCEPT tcp -- anywhere anywhere tcp multiport dports afs3-prserver /* LaunchPort */ ctstate NEW
    24 ACCEPT tcp -- anywhere anywhere tcp multiport dports 50003,50103,56003 /* nwbrokerPorts */ ctstate NEW
    25 DROP all -- anywhere anywhere
  2. Run  "iptables -I INPUT 25 -p udp -m udp --dport 161 -j ACCEPT" command to add new rule above DROP rule.
  3. Run "service iptables save" command.
  4. Verify the changes using below.
    # iptables -L --line-numbers
    Chain INPUT (policy DROP)
    num target prot opt source destination
    1 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
    2 ACCEPT all -- anywhere anywhere
    3 DROP all -- anywhere anywhere ctstate INVALID
    4 ACCEPT tcp -- anywhere anywhere tcp multiport dports domain /* dnsmasq-tcp-port */ ctstate NEW
    5 ACCEPT udp -- anywhere anywhere udp multiport dports domain /* dnsmasq-udp-port */ ctstate NEW
    6 ACCEPT tcp -- anywhere anywhere tcp multiport dports ssh /* SSH */ ctstate NEW
    7 ACCEPT udp -- anywhere anywhere udp multiport dports ntp /* ntp */ ctstate NEW
    8 ACCEPT tcp -- anywhere anywhere tcp multiport dports 4505,4506 /* salt master ports */ ctstate NEW
    9 ACCEPT tcp -- anywhere anywhere tcp multiport dports amqps /* rabbitmq-amqp */ ctstate NEW
    10 ACCEPT tcp -- anywhere anywhere tcp multiport dports 15671 /* rabbitmq-mgmt */ ctstate NEW
    11 ACCEPT udp -- anywhere anywhere udp multiport dports 50514 /* rsaAuditPorts */ ctstate NEW
    12 ACCEPT tcp -- anywhere anywhere tcp multiport dports 27017 /* mongo-listen-port */ ctstate NEW
    13 ACCEPT tcp -- anywhere anywhere tcp multiport dports http,https /* nginxPort */ ctstate NEW
    14 ACCEPT tcp -- anywhere anywhere tcp multiport dports 51114 /* rsasoc_re */ ctstate NEW
    15 ACCEPT tcp -- anywhere anywhere tcp multiport dports 50006,50106,56006 /* nwappliancePorts */ ctstate NEW
    16 ACCEPT tcp -- anywhere anywhere tcp multiport dports afs3-rmtsys /* LaunchPort */ ctstate NEW
    17 ACCEPT tcp -- anywhere anywhere tcp multiport dports afs3-errors /* LaunchPort */ ctstate NEW
    18 ACCEPT tcp -- anywhere anywhere tcp multiport dports talon-webserver /* LaunchPort */ ctstate NEW
    19 ACCEPT tcp -- anywhere anywhere tcp multiport dports talon-engine /* LaunchPort */ ctstate NEW
    20 ACCEPT tcp -- anywhere anywhere tcp multiport dports afs3-kaserver /* LaunchPort */ ctstate NEW
    21 ACCEPT tcp -- anywhere anywhere tcp multiport dports ups-onlinet /* LaunchPort */ ctstate NEW
    22 ACCEPT tcp -- anywhere anywhere tcp multiport dports afs3-vlserver /* LaunchPort */ ctstate NEW
    23 ACCEPT tcp -- anywhere anywhere tcp multiport dports afs3-prserver /* LaunchPort */ ctstate NEW
    24 ACCEPT tcp -- anywhere anywhere tcp multiport dports 50003,50103,56003 /* nwbrokerPorts */ ctstate NEW
    25 ACCEPT udp -- anywhere anywhere udp dpt:snmp
    26 DROP all -- anywhere anywhere

Product Details

RSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.X
Platform: CentOS
O/S Version: 7

Summary

This document outlines the procedure for writing custom iptable rules in Netwitness Platform appliances.


Approval Reviewer Queue

RSA NetWitness Suite Approval Queue