iptables -A OUTPUT -o eth0 -p tcp --sport 9997 -m state --state NEW,ESTABLISHED -j ACCEPT
Looks like the solution was
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
Or at least that got it working.
Forum Moderator for osTicket.com and Assistant Director of IT for a medium sized 501(c)3 Non-Profit.
So I'm a relative newbie with using iptables. I have used them for years but usually with fail2ban, and the occasional adding a specific rule to allow a specific connection [like to allow someone to SSH from a specific IP]. Lastly I just setup Splunk for the first time on a Windows 2012r2 server that I just stood up.
Splunk seems pretty straight forward and it all installed on the server with out any issues. I added a receive port (default 9997).
I installed the splunk universal forwarder to my Debian 9.8 Linux box. (using the official Splunk .deb download) Knowing that IP tables is going to trip me up I add some rules.
# iptables -A INPUT -i eth0 -p tcp --dport 9997 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp --sport 9997 -m state --state NEW,ESTABLISHED -j ACCEPT
I get to the point where I add the forward server. I use a command similar to:
./splunk add forward-server 192.168.0.15:9997 -auth admin:changeme
I get the error: Couldn't complete HTTP request: Connection timed out
Okay so I check the windows firewall. I create a rule to allow all traffic from the linux server to the splunk server. I try again. Same thing. /grump
Alright so then it must be iptables since it drops most things. I go back to the Linux server and issue these:
iptables --policy INPUT ACCEPT
iptables --policy OUTPUT ACCEPT
I run the command. Bingo.
Added forwarding to: 192.168.0.15:9997.
So now my question... now that it appears to be working I would add data to forward... but I dont want to leave iptables wide open. Anyone good knowledgeable with Splunk and iptables to help me close this back up?
I could do something like:
iptables -A INPUT -s 192.168.0.15 -j ACCEPT
iptables -A OUTPUT -s 192.168.0.15 -j ACCEPT
But I would really like to lock this down to just the ports that Splunk needs. I'm obviously missing something.
note: I've tried adding a few more ports (8089 and 8000) to be accepted INPUT and OUTPUT. I've googled it about 30 different times and poured through their Splunks help docs and am stuck.
note2: ips changed to protect the innocent.
While you can run the version from github, the devs have asked that you download it from osticket.com/download instead. There is some packaging they do that apparently isn't handled by github (such as setting version number).
I generally recommend that people upgrade to at least PHP 5.6. If your a stickler for running a version of PHP thats still being support by php.net then you will want to upgrade to something a lot newer as 5.5, 5.6 and 7.0 are no longer under active support, and 7.0 will only receive security updates.
Does NIST Special Publication 800-53 r4 count as "outside of tech"?
If not then I did start re-reading Monstress Vol 3 by Marjorie Liu and Sana Takeda. (graphic novel), so I could move onto all the individual issues that came out after that which haven't been released in graphic novel format yet.
It's winter so in the last month: finished Horizon Zero Dawn, Kindom Hearts III, Shadow of the Collosus (HD remaster), and lastly just finished Final Fantasy X (HD remaster) last night.
This is outside my norm but I discovered this song last weekend and added it to my work play list. (note the beginning of the video isn't entirely work safe per se)
I created playlist after going to a concert and am listening to that.
Iron Maiden Book of Souls 2017 set list from Mansfield MA.
I'm a little late to this conversation...
If they are a non-profit (501c3) then they can go through TechSoup and get great pricing.
If they are a not for profit, I do not think that they qualify for Tech Soup.
We use TechSoup for my primary job and have for many years.