So I'm a relative newbie with using iptables. I have used them for years but usually with fail2ban, and the occasional adding a specific rule to allow a specific connection [like to allow someone to SSH from a specific IP]. Lastly I just setup Splunk for the first time on a Windows 2012r2 server that I just stood up.
Splunk seems pretty straight forward and it all installed on the server with out any issues. I added a receive port (default 9997).
I installed the splunk universal forwarder to my Debian 9.8 Linux box. (using the official Splunk .deb download) Knowing that IP tables is going to trip me up I add some rules.
# iptables -A INPUT -i eth0 -p tcp --dport 9997 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp --sport 9997 -m state --state NEW,ESTABLISHED -j ACCEPT
I get to the point where I add the forward server. I use a command similar to:
./splunk add forward-server 192.168.0.15:9997 -auth admin:changeme
I get the error: Couldn't complete HTTP request: Connection timed out
Okay so I check the windows firewall. I create a rule to allow all traffic from the linux server to the splunk server. I try again. Same thing. /grump
Alright so then it must be iptables since it drops most things. I go back to the Linux server and issue these:
iptables --policy INPUT ACCEPT
iptables --policy OUTPUT ACCEPT
I run the command. Bingo.
Added forwarding to: 192.168.0.15:9997.
So now my question... now that it appears to be working I would add data to forward... but I dont want to leave iptables wide open. Anyone good knowledgeable with Splunk and iptables to help me close this back up?
I could do something like:
iptables -A INPUT -s 192.168.0.15 -j ACCEPT
iptables -A OUTPUT -s 192.168.0.15 -j ACCEPT
But I would really like to lock this down to just the ports that Splunk needs. I'm obviously missing something.
note: I've tried adding a few more ports (8089 and 8000) to be accepted INPUT and OUTPUT. I've googled it about 30 different times and poured through their Splunks help docs and am stuck.
note2: ips changed to protect the innocent.