Advanced iptables rules examples

You can configure your iptables rules to better control access to QRadar®, restrict inbound data sources, and redirect traffic. The following examples can help you to gain better insight to your network, by manually adjusting your iptables.

Blocking access to SSH with iptables

Consoles and unmanaged hosts allow SSH from any inbound request. When a host is added to the deployment, the managed hosts allow SSH access from the QRadar Console, and the console keeps port 22 open for inbound connections. You can limit the inbound connections on port 22 by modifying a host's iptables rules.

You can block SSH access from other managed hosts on your console, which can break encrypted connections.

-A INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 22 -s 10.100.50.41 -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 22 -s 10.100.50.59 -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 22 -j DROP

Enabling ICMP to QRadar systems

You can enable ping responses from your QRadar system by adding the following rule to the /opt/qradar/conf/iptables.pre file.

-A INPUT -p icmp -j ACCEPT

Run the following script to create an entry in the /etc/sysconfig/iptables file.

Important: You can limit this rule to a specific host by adding the

-s
source.ip.address

field.

Blocking unwanted data sources

You can block out a data source such as a log source or a netflow data source, for a short time, rather than disabling the original device. To block a particular host, you can add an entry similar to the following to /opt/qradar/conf/iptables.pre.

Block a netflow from the router:

-A INPUT -p udp -s <IP Address> --dport 2055 -j REJECT

Block a syslog from another source:


-A INPUT -p tcp -s <IP Address> --dport 514 -j REJECT

-A INPUT -p udp -s <IP Address> --dport 514 -j REJECT

Block a syslog from a specific subnet:


-A INPUT -p tcp -s <IP Address> --dport 514 -j REJECT

-A INPUT -p udp -s <IP Address> --dport 514 -j REJECT