Splunk vs iptables



  • So I'm a relative newbie with using iptables. I have used them for years but usually with fail2ban, and the occasional adding a specific rule to allow a specific connection [like to allow someone to SSH from a specific IP]. Lastly I just setup Splunk for the first time on a Windows 2012r2 server that I just stood up.

    Splunk seems pretty straight forward and it all installed on the server with out any issues. I added a receive port (default 9997).

    I installed the splunk universal forwarder to my Debian 9.8 Linux box. (using the official Splunk .deb download) Knowing that IP tables is going to trip me up I add some rules.

    # iptables -A INPUT -i eth0 -p tcp --dport 9997 -m state --state NEW,ESTABLISHED -j ACCEPT
    # iptables -A OUTPUT -o eth0 -p tcp --sport 9997 -m state --state NEW,ESTABLISHED -j ACCEPT

    I get to the point where I add the forward server. I use a command similar to:
    ./splunk add forward-server 192.168.0.15:9997 -auth admin:changeme

    I get the error: Couldn't complete HTTP request: Connection timed out

    Okay so I check the windows firewall. I create a rule to allow all traffic from the linux server to the splunk server. I try again. Same thing. /grump

    Alright so then it must be iptables since it drops most things. I go back to the Linux server and issue these:
    iptables --policy INPUT ACCEPT
    iptables --policy OUTPUT ACCEPT

    I run the command. Bingo.
    Added forwarding to: 192.168.0.15:9997.

    So now my question... now that it appears to be working I would add data to forward... but I dont want to leave iptables wide open. Anyone good knowledgeable with Splunk and iptables to help me close this back up?

    I could do something like:
    iptables -A INPUT -s 192.168.0.15 -j ACCEPT
    iptables -A OUTPUT -s 192.168.0.15 -j ACCEPT

    But I would really like to lock this down to just the ports that Splunk needs. I'm obviously missing something.

    note: I've tried adding a few more ports (8089 and 8000) to be accepted INPUT and OUTPUT. I've googled it about 30 different times and poured through their Splunks help docs and am stuck.

    note2: ips changed to protect the innocent.

    Thanks!



  • @ntozier said in Splunk vs iptables:

    So I'm a relative newbie with using iptables. I have used them for years but usually with fail2ban, and the occasional adding a specific rule to allow a specific connection [like to allow someone to SSH from a specific IP]. Lastly I just setup Splunk for the first time on a Windows 2012r2 server that I just stood up.

    Splunk seems pretty straight forward and it all installed on the server with out any issues. I added a receive port (default 9997).

    I installed the splunk universal forwarder to my Debian 9.8 Linux box. (using the official Splunk .deb download) Knowing that IP tables is going to trip me up I add some rules.

    # iptables -A INPUT -i eth0 -p tcp --dport 9997 -m state --state NEW,ESTABLISHED -j ACCEPT
    # iptables -A OUTPUT -o eth0 -p tcp --sport 9997 -m state --state NEW,ESTABLISHED -j ACCEPT

    I get to the point where I add the forward server. I use a command similar to:
    ./splunk add forward-server 192.168.0.15:9997 -auth admin:changeme

    I get the error: Couldn't complete HTTP request: Connection timed out

    Okay so I check the windows firewall. I create a rule to allow all traffic from the linux server to the splunk server. I try again. Same thing. /grump

    Alright so then it must be iptables since it drops most things. I go back to the Linux server and issue these:
    iptables --policy INPUT ACCEPT
    iptables --policy OUTPUT ACCEPT

    I run the command. Bingo.
    Added forwarding to: 192.168.0.15:9997.

    So now my question... now that it appears to be working I would add data to forward... but I dont want to leave iptables wide open. Anyone good knowledgeable with Splunk and iptables to help me close this back up?

    I could do something like:
    iptables -A INPUT -s 192.168.0.15 -j ACCEPT
    iptables -A OUTPUT -s 192.168.0.15 -j ACCEPT

    But I would really like to lock this down to just the ports that Splunk needs. I'm obviously missing something.

    note: I've tried adding a few more ports (8089 and 8000) to be accepted INPUT and OUTPUT. I've googled it about 30 different times and poured through their Splunks help docs and am stuck.

    note2: ips changed to protect the innocent.

    Thanks!

    People seem to be happy with this guy's answer.

    https://answers.splunk.com/answers/58888/what-are-the-ports-that-i-need-to-open.html



  • @IRJ Yeah I already read that and opened those three ports. Still doesn't work. /boggle.

    I also tried
    iptables -A INPUT -s 192.168.0.15 -j ACCEPT

    and that doesn't work either. But if I change
    iptables --policy INPUT ACCEPT
    everything works as expected.



  • @ntozier said in Splunk vs iptables:

    @IRJ Yeah I already read that and opened those three ports. Still doesn't work. /boggle.

    I also tried
    iptables -A INPUT -s 192.168.0.15 -j ACCEPT

    and that doesn't work either. But if I change
    iptables --policy INPUT ACCEPT
    everything works as expected.

    What about 514?



  • @ntozier said in Splunk vs iptables:

    @IRJ Yeah I already read that and opened those three ports. Still doesn't work. /boggle.

    I also tried
    iptables -A INPUT -s 192.168.0.15 -j ACCEPT

    and that doesn't work either. But if I change
    iptables --policy INPUT ACCEPT
    everything works as expected.

    That is odd....hmm

    Do you have anyway or monitoring flow?



  • Output should be - d for destination

    
    iptables -A OUTPUT -d 192.168.0.15 -j ACCEPT
    
    


  • @IRJ said in Splunk vs iptables:

    iptables -A OUTPUT -o eth0 -p tcp --sport 9997 -m state --state NEW,ESTABLISHED -j ACCEPT

    Looks like the solution was
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT

    Or at least that got it working. 🙂