Advanced iptables rules examples
You can configure your iptables rules to better control access to QRadar®, restrict inbound data sources, and redirect traffic. The following examples can help you to gain better insight to your network, by manually adjusting your iptables.
Blocking access to SSH with iptables
Consoles and unmanaged hosts allow SSH from any inbound request. When a host is added to the deployment, the managed hosts allow SSH access from the QRadar Console, and the console keeps port 22 open for inbound connections. You can limit the inbound connections on port 22 by modifying a host's iptables rules.
You can block SSH access from other managed hosts on your console, which can break encrypted connections.
-A INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 22 -s 10.100.50.41 -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 22 -s 10.100.50.59 -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 22 -j DROP
Enabling ICMP to QRadar systems
You can enable ping responses from your QRadar system by adding the following rule to the /opt/qradar/conf/iptables.pre file.
-A INPUT -p icmp -j ACCEPT
Run the following script to create an entry in the /etc/sysconfig/iptables
file.
-s
source.ip.address
field.Blocking unwanted data sources
You can block out a data source such as a log source or a netflow data source, for a short time, rather than disabling the original device. To block a particular host, you can add an entry similar to the following to /opt/qradar/conf/iptables.pre.
-A INPUT -p udp -s <IP Address> --dport 2055 -j REJECT
-A INPUT -p tcp -s <IP Address> --dport 514 -j REJECT
-A INPUT -p udp -s <IP Address> --dport 514 -j REJECT
-A INPUT -p tcp -s <IP Address> --dport 514 -j REJECT
-A INPUT -p udp -s <IP Address> --dport 514 -j REJECT