Splunk vs iptables

ntozier

So I'm a relative newbie with using iptables. I have used them for years but usually with fail2ban, and the occasional adding a specific rule to allow a specific connection [like to allow someone to SSH from a specific IP]. Lastly I just setup Splunk for the first time on a Windows 2012r2 server that I just stood up.

Splunk seems pretty straight forward and it all installed on the server with out any issues. I added a receive port (default 9997).

I installed the splunk universal forwarder to my Debian 9.8 Linux box. (using the official Splunk .deb download) Knowing that IP tables is going to trip me up I add some rules.

# iptables -A INPUT -i eth0 -p tcp --dport 9997 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp --sport 9997 -m state --state NEW,ESTABLISHED -j ACCEPT

I get to the point where I add the forward server. I use a command similar to:
./splunk add forward-server 192.168.0.15:9997 -auth admin:changeme

I get the error: Couldn't complete HTTP request: Connection timed out

Okay so I check the windows firewall. I create a rule to allow all traffic from the linux server to the splunk server. I try again. Same thing. /grump

Alright so then it must be iptables since it drops most things. I go back to the Linux server and issue these:
iptables --policy INPUT ACCEPT
iptables --policy OUTPUT ACCEPT

I run the command. Bingo.
Added forwarding to: 192.168.0.15:9997.

So now my question... now that it appears to be working I would add data to forward... but I dont want to leave iptables wide open. Anyone good knowledgeable with Splunk and iptables to help me close this back up?

I could do something like:
iptables -A INPUT -s 192.168.0.15 -j ACCEPT
iptables -A OUTPUT -s 192.168.0.15 -j ACCEPT

But I would really like to lock this down to just the ports that Splunk needs. I'm obviously missing something.

note: I've tried adding a few more ports (8089 and 8000) to be accepted INPUT and OUTPUT. I've googled it about 30 different times and poured through their Splunks help docs and am stuck.

note2: ips changed to protect the innocent.

Thanks!

IRJ

@ntozier said in Splunk vs iptables:

So I'm a relative newbie with using iptables. I have used them for years but usually with fail2ban, and the occasional adding a specific rule to allow a specific connection [like to allow someone to SSH from a specific IP]. Lastly I just setup Splunk for the first time on a Windows 2012r2 server that I just stood up.

Splunk seems pretty straight forward and it all installed on the server with out any issues. I added a receive port (default 9997).

I installed the splunk universal forwarder to my Debian 9.8 Linux box. (using the official Splunk .deb download) Knowing that IP tables is going to trip me up I add some rules.

# iptables -A INPUT -i eth0 -p tcp --dport 9997 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp --sport 9997 -m state --state NEW,ESTABLISHED -j ACCEPT

I get to the point where I add the forward server. I use a command similar to:
./splunk add forward-server 192.168.0.15:9997 -auth admin:changeme

I get the error: Couldn't complete HTTP request: Connection timed out

Okay so I check the windows firewall. I create a rule to allow all traffic from the linux server to the splunk server. I try again. Same thing. /grump

Alright so then it must be iptables since it drops most things. I go back to the Linux server and issue these:
iptables --policy INPUT ACCEPT
iptables --policy OUTPUT ACCEPT

I run the command. Bingo.
Added forwarding to: 192.168.0.15:9997.

So now my question... now that it appears to be working I would add data to forward... but I dont want to leave iptables wide open. Anyone good knowledgeable with Splunk and iptables to help me close this back up?

I could do something like:
iptables -A INPUT -s 192.168.0.15 -j ACCEPT
iptables -A OUTPUT -s 192.168.0.15 -j ACCEPT

But I would really like to lock this down to just the ports that Splunk needs. I'm obviously missing something.

note: I've tried adding a few more ports (8089 and 8000) to be accepted INPUT and OUTPUT. I've googled it about 30 different times and poured through their Splunks help docs and am stuck.

note2: ips changed to protect the innocent.

Thanks!

People seem to be happy with this guy's answer.

https://answers.splunk.com/answers/58888/what-are-the-ports-that-i-need-to-open.html

ntozier

@IRJ Yeah I already read that and opened those three ports. Still doesn't work. /boggle.

I also tried
iptables -A INPUT -s 192.168.0.15 -j ACCEPT

and that doesn't work either. But if I change
iptables --policy INPUT ACCEPT
everything works as expected.

IRJ

@ntozier said in Splunk vs iptables:

@IRJ Yeah I already read that and opened those three ports. Still doesn't work. /boggle.

I also tried
iptables -A INPUT -s 192.168.0.15 -j ACCEPT

and that doesn't work either. But if I change
iptables --policy INPUT ACCEPT
everything works as expected.

What about 514?

IRJ

@ntozier said in Splunk vs iptables:

@IRJ Yeah I already read that and opened those three ports. Still doesn't work. /boggle.

I also tried
iptables -A INPUT -s 192.168.0.15 -j ACCEPT

and that doesn't work either. But if I change
iptables --policy INPUT ACCEPT
everything works as expected.

That is odd....hmm

Do you have anyway or monitoring flow?

IRJ

Output should be - d for destination

iptables -A OUTPUT -d 192.168.0.15 -j ACCEPT

ntozier

@IRJ said in Splunk vs iptables:

iptables -A OUTPUT -o eth0 -p tcp --sport 9997 -m state --state NEW,ESTABLISHED -j ACCEPT

Looks like the solution was
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

Or at least that got it working.