Article Number
000001041
Applies To
RSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.X
Platform: CentOS
O/S Version: 7
Issue
In Netwitness 11.X appliances, editing /etc/sysconfig/iptables file using vi editor will not hold the changes permanently even after applying
Netwitness.json settings
Resolution
Please use below steps to add custom rules in iptables.
- Run "iptables -L --line-numbers" command. This would list out the rules with line numbers.
Sample output:
#iptables -L --line-numbers
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
2 ACCEPT all -- anywhere anywhere
3 DROP all -- anywhere anywhere ctstate INVALID
4 ACCEPT tcp -- anywhere anywhere tcp multiport dports domain /* dnsmasq-tcp-port */ ctstate NEW
5 ACCEPT udp -- anywhere anywhere udp multiport dports domain /* dnsmasq-udp-port */ ctstate NEW
6 ACCEPT tcp -- anywhere anywhere tcp multiport dports ssh /* SSH */ ctstate NEW
7 ACCEPT udp -- anywhere anywhere udp multiport dports ntp /* ntp */ ctstate NEW
8 ACCEPT tcp -- anywhere anywhere tcp multiport dports 4505,4506 /* salt master ports */ ctstate NEW
9 ACCEPT tcp -- anywhere anywhere tcp multiport dports amqps /* rabbitmq-amqp */ ctstate NEW
10 ACCEPT tcp -- anywhere anywhere tcp multiport dports 15671 /* rabbitmq-mgmt */ ctstate NEW
11 ACCEPT udp -- anywhere anywhere udp multiport dports 50514 /* rsaAuditPorts */ ctstate NEW
12 ACCEPT tcp -- anywhere anywhere tcp multiport dports 27017 /* mongo-listen-port */ ctstate NEW
13 ACCEPT tcp -- anywhere anywhere tcp multiport dports http,https /* nginxPort */ ctstate NEW
14 ACCEPT tcp -- anywhere anywhere tcp multiport dports 51114 /* rsasoc_re */ ctstate NEW
15 ACCEPT tcp -- anywhere anywhere tcp multiport dports 50006,50106,56006 /* nwappliancePorts */ ctstate NEW
16 ACCEPT tcp -- anywhere anywhere tcp multiport dports afs3-rmtsys /* LaunchPort */ ctstate NEW
17 ACCEPT tcp -- anywhere anywhere tcp multiport dports afs3-errors /* LaunchPort */ ctstate NEW
18 ACCEPT tcp -- anywhere anywhere tcp multiport dports talon-webserver /* LaunchPort */ ctstate NEW
19 ACCEPT tcp -- anywhere anywhere tcp multiport dports talon-engine /* LaunchPort */ ctstate NEW
20 ACCEPT tcp -- anywhere anywhere tcp multiport dports afs3-kaserver /* LaunchPort */ ctstate NEW
21 ACCEPT tcp -- anywhere anywhere tcp multiport dports ups-onlinet /* LaunchPort */ ctstate NEW
22 ACCEPT tcp -- anywhere anywhere tcp multiport dports afs3-vlserver /* LaunchPort */ ctstate NEW
23 ACCEPT tcp -- anywhere anywhere tcp multiport dports afs3-prserver /* LaunchPort */ ctstate NEW
24 ACCEPT tcp -- anywhere anywhere tcp multiport dports 50003,50103,56003 /* nwbrokerPorts */ ctstate NEW
25 DROP all -- anywhere anywhere
- Run "iptables -I INPUT 25 -p udp -m udp --dport 161 -j ACCEPT" command to add new rule above DROP rule.
- Run "service iptables save" command.
- Verify the changes using below.
# iptables -L --line-numbers
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
2 ACCEPT all -- anywhere anywhere
3 DROP all -- anywhere anywhere ctstate INVALID
4 ACCEPT tcp -- anywhere anywhere tcp multiport dports domain /* dnsmasq-tcp-port */ ctstate NEW
5 ACCEPT udp -- anywhere anywhere udp multiport dports domain /* dnsmasq-udp-port */ ctstate NEW
6 ACCEPT tcp -- anywhere anywhere tcp multiport dports ssh /* SSH */ ctstate NEW
7 ACCEPT udp -- anywhere anywhere udp multiport dports ntp /* ntp */ ctstate NEW
8 ACCEPT tcp -- anywhere anywhere tcp multiport dports 4505,4506 /* salt master ports */ ctstate NEW
9 ACCEPT tcp -- anywhere anywhere tcp multiport dports amqps /* rabbitmq-amqp */ ctstate NEW
10 ACCEPT tcp -- anywhere anywhere tcp multiport dports 15671 /* rabbitmq-mgmt */ ctstate NEW
11 ACCEPT udp -- anywhere anywhere udp multiport dports 50514 /* rsaAuditPorts */ ctstate NEW
12 ACCEPT tcp -- anywhere anywhere tcp multiport dports 27017 /* mongo-listen-port */ ctstate NEW
13 ACCEPT tcp -- anywhere anywhere tcp multiport dports http,https /* nginxPort */ ctstate NEW
14 ACCEPT tcp -- anywhere anywhere tcp multiport dports 51114 /* rsasoc_re */ ctstate NEW
15 ACCEPT tcp -- anywhere anywhere tcp multiport dports 50006,50106,56006 /* nwappliancePorts */ ctstate NEW
16 ACCEPT tcp -- anywhere anywhere tcp multiport dports afs3-rmtsys /* LaunchPort */ ctstate NEW
17 ACCEPT tcp -- anywhere anywhere tcp multiport dports afs3-errors /* LaunchPort */ ctstate NEW
18 ACCEPT tcp -- anywhere anywhere tcp multiport dports talon-webserver /* LaunchPort */ ctstate NEW
19 ACCEPT tcp -- anywhere anywhere tcp multiport dports talon-engine /* LaunchPort */ ctstate NEW
20 ACCEPT tcp -- anywhere anywhere tcp multiport dports afs3-kaserver /* LaunchPort */ ctstate NEW
21 ACCEPT tcp -- anywhere anywhere tcp multiport dports ups-onlinet /* LaunchPort */ ctstate NEW
22 ACCEPT tcp -- anywhere anywhere tcp multiport dports afs3-vlserver /* LaunchPort */ ctstate NEW
23 ACCEPT tcp -- anywhere anywhere tcp multiport dports afs3-prserver /* LaunchPort */ ctstate NEW
24 ACCEPT tcp -- anywhere anywhere tcp multiport dports 50003,50103,56003 /* nwbrokerPorts */ ctstate NEW
25 ACCEPT udp -- anywhere anywhere udp dpt:snmp
26 DROP all -- anywhere anywhere