Advanced iptables rules examples
You can configure your iptables rules to better control access to QRadar, restrict inbound data sources, and redirect traffic. The following examples can help you to gain better insight to your network, by manually adjusting your iptables.
Blocking access to SSH with iptables
Consoles and unmanaged hosts allow SSH from any inbound request. When a host is added to the deployment, the managed hosts allow SSH access from the QRadar Console, and the console keeps port 22 open for inbound connections. You can limit the inbound connections on port 22 by modifying a host's iptables rules.
You can block SSH access from other managed hosts on your console, which can break encrypted connections.
-A INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 22 -s 10.100.50.41 -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 22 -s 10.100.50.59 -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 22 -j DROP
Enabling ICMP to QRadar systems
You can enable ping responses from your QRadar system by adding the following rule to the /opt/qradar/conf/iptables.pre file.
-A INPUT -p icmp -j ACCEPT
Run the following script to create an entry in the /etc/sysconfig/iptables
file.
-s
source.ip.address field.Blocking unwanted data sources
You can block out a data source such as a log source or a netflow data source, for a short time, rather than disabling the original device. To block a particular host, you can add an entry similar to the following to /opt/qradar/conf/iptables.pre.
-A INPUT -p udp -s <IP Address> --dport 2055 -j REJECT
-A INPUT -p tcp -s <IP Address> --dport 514 -j REJECT
-A INPUT -p udp -s <IP Address> --dport 514 -j REJECT
-A INPUT -p tcp -s <IP Address> --dport 514 -j REJECT
-A INPUT -p udp -s <IP Address> --dport 514 -j REJECTRedirecting iptables to syslog ports
You can redirect syslog traffic on non-standard ports into port 514 on a QRadar Event Collector. You can use the following steps to enable an iptables rule to redirect the alternative port back into 514 on the Event Collector.
- Enable the NAT option in the Linux kernel by adding or updating the following line in the
/etc/sysctl.conf file.
net.ipv4.ip_forward = 1Note: For changes to take effect to the NAT rule, you might need to restart your service. - Enable ipforwarding in the current active
kernel.
echo 1 > /proc/sys/net/ipv4/ip_forward - Add the following lines to the /opt/qradar/conf/iptables-nat.post. Enter
the port number that you want to redirect as the
<portnumber>.
-A PREROUTING -p udp --dport <portnumber> -j REDIRECT --to-ports 514 -A PREROUTING -p tcp --dport <portnumber> -j REDIRECT --to-ports 514 - Enter the following command to rebuild your
iptables.
/opt/qradar/bin/iptables_update.pl - Verify the redirection by typing the following command.
iptables -nvL -t natThe following code is an example of what the output might look like.
Chain PREROUTING (policy ACCEPT 140 packets, 8794 bytes) pkts bytes target prot opt in out source destination 0 0 REDIRECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:10529 redir ports 514 0 0 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:10529 redir ports 514 Chain POSTROUTING (policy ACCEPT 207 packets, 25772 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 207 packets, 25772 bytes) pkts bytes target prot opt in out source destination
Redirecting inbound syslog traffic
You can use your QRadar Console as a syslog message gateway to redirect inbound events, by configuring rules in iptables.
- Enable the forwarding rule for a log source on your Event Collector.
- Set the forwarding destination for the TCP syslog to be the console IP address on port 7780.
- From the command line of the console, add the following iptables rule to redirect to another
host.
iptables -I OUTPUT --src 0/0 --dst 153.2.200.80 -p tcp --dport 7780 -j REDIRECT --to-ports 514