IBM Support

QRadar: Troubleshooting IPtables and applications (ERROR: iptables --wait -t nat -C DOCKER)

Troubleshooting


Problem

The application is installed and is displayed on the QRadar® dashboard, but the application does not appear to be working.

Symptom

  • 404 page not found error is displayed
  • Tables in application fail to load
  • Application might not display data

Diagnosing The Problem

Look for messages in /var/log/qradar-iptables.log on the appliance where applications are set to run similar to:
[docker_si] ERROR: iptables --wait -t nat -C DOCKER -p tcp -d 0/0 --dport 32769
 -j DNAT --to-destination 169.254.3.3:5000 ! -i dockerApps. RC=1
[docker_si] ERROR: iptables --wait -t filter -C DOCKER ! -i dockerApps -o dockerApps
 -p tcp -d 169.254.3.3 --dport 5000 -j ACCEPT. RC=1
[docker_si] ERROR: iptables --wait -t nat -C POSTROUTING -p tcp -s 169.254.3.3 -d 
169.254.3.3 --dport 5000 -j MASQUERADE. RC=1
[docker_si] ERROR: iptables --wait -t nat -C OUTPUT -d 127.0.0.11 -j DOCKER_OUTPUT. RC=2
Note: Applications can run on either the Console or App Host.

Resolving The Problem

Applications depend on iptables loading correctly. If they are not loaded, then communication to the application might be affected. To verify that iptables are loaded correctly:
  1. Use SSH to log in to the Console.
  2. If the applications are running on an App Host, SSH from the Console to the App Host.
  3. Type the command: 
    iptables --list
  4. If iptables is loaded into the kernel, look for messages from Chain DOCKER similar to: 
    Chain DOCKER (2 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             169.254.3.2          tcp dpt:commplex-main
ACCEPT     tcp  --  anywhere             169.254.3.8          tcp dpt:commplex-main
ACCEPT     tcp  --  anywhere             169.254.3.5          tcp dpt:commplex-main
ACCEPT     tcp  --  anywhere             169.254.3.6          tcp dpt:commplex-main
ACCEPT     tcp  --  anywhere             169.254.3.7          tcp dpt:commplex-main
ACCEPT     tcp  --  anywhere             169.254.3.3          tcp dpt:commplex-main
ACCEPT     tcp  --  anywhere             169.254.3.10         tcp dpt:commplex-main
  5. If there are no destination IP addresses listed from step #4 on the appliance where applications are set to run, type the commands: 
    systemctl restart iptables
    systemctl restart ip6tables
  6. Repeat steps #3 and #4.
     
Results
If the commands given do not result in a destination IP addresses in the output or the table rules are displaying an error in /var/log/qradar-iptables.log, your iptables might have an issue.  Open a case with IBM QRadar support to investigate the issue.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000GnbvAAC","label":"QRadar->Apps"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.2;7.3.3;7.4.0","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
28 May 2020

UID

ibm16212210

Page Feedback