IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  iptables prerouting to redirect port

    Posted Thu March 19, 2020 02:47 PM
    Hi 
    I am trying to redirect traffic coming to 514 port to 517 only for source 10.0.0.198
    I am adding following line to file /opt/qradar/conf/iptables.pre

    -A PREROUTING -s 10.0.0.198/32 -p udp -m udp --dport 514 -j REDIRECT --to-ports 517
    I also tried to add line as;
    -t nat -A PREROUTING -s 10.0.0.198/32 -p udp -m udp --dport 514 -j REDIRECT --to-ports 517  
    -A PREROUTING -t nat -s 10.0.0.198/32 -p udp -m udp --dport 514 -j REDIRECT --to-ports 517 
    -A PREROUTING -s 10.0.0.198/32 -d 0/0 -p udp -m udp --dport 514 -j REDIRECT --to-ports 517

    When I tried to run /opt/qradar/bin/iptables_update.pl for all alternatives, the iptables service not starting with an error. When I remove the line from the iptables.pre file iptables service restarting as expected.

    QRadar: How to edit iptables rules in QRadar? 
    In this document "Another use of iptables in QRadar" section explain that we can redirect port but I can not made it.

    Could you please help me to solve the issue.

    The qradar-iptables.log file show the line.
    ------------------------------------------------
    iptables: Applying firewall rules: iptables-restore v1.4.21: The -t option (seen in line 23) cannot be used in iptables-restore.
    iptables.init[11336]: Error occurred at line: 23
    Try `iptables-restore -h' or 'iptables-restore --help' for more information.
    iptables.init[11336]: [FAILED]
    iptables.service: main process exited, code=exited, status=1/FAILURE
    Failed to start IPv4 firewall with iptables.

    ------------------------------
    Hasan Erhan AYDINOĞLU
    ------------------------------


  • 2.  RE: iptables prerouting to redirect port

    Posted Sun March 22, 2020 09:45 AM

    Create folder /opt/Qradar/conf/nat.pre

    Create file in the folder with your rules.

      -A prerouting -p tcp -s ip -dport …



    ------------------------------
    Qiao Xin
    ------------------------------

    Original Message


  • 3.  RE: iptables prerouting to redirect port

    Posted Mon March 23, 2020 02:12 AM
    Hi Qiao
    Thanks for comment.
    After I did what you offer iptables rules don't show the prerouting rule which I insert using nat.pre file..

    [root@qradar conf]# cat /opt/qradar/conf/nat.pre
    -A PREROUTING -s 10.0.0.198/32 -p udp -m udp --dport 514 -j REDIRECT --to-ports 517

    [root@qradar conf]# iptables -L -n -t nat
    Chain PREROUTING (policy ACCEPT)
    target prot opt source destination
    DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
    Chain INPUT (policy ACCEPT)
    .....
    ...

    Any idea?
    Thanks


    ------------------------------
    Hasan Erhan AYDINOĞLU
    ------------------------------

    Original Message


  • 4.  RE: iptables prerouting to redirect port

    Posted Mon March 23, 2020 04:22 PM
    Is there any idea about the issue?

    Thanks

    ------------------------------
    Hasan Erhan AYDINOĞLU
    ------------------------------

    Original Message


  • 5.  RE: iptables prerouting to redirect port

    Posted Tue March 24, 2020 09:44 PM
    Create a file under the folder instead. You created a file using the folder name.

    i think you need to restart iptables

    ------------------------------
    qx
    ------------------------------

    Original Message


  • 6.  RE: iptables prerouting to redirect port

    Posted Wed March 25, 2020 09:27 AM
    Hi Qiao

    I did what you said.
    [root@qradar ~]# cat /opt/qradar/conf/nat.pre/iptables.pre
    -A PREROUTING -s 10.0.0.198/32 -p udp -m udp --dport 514 -j REDIRECT --to-ports 517
    [root@qradar ~]#

    And restart iptables using /opt/qradar/bin/iptables_update.pl
    When I check the prerouting tables I can not see the rule that I added.

    [root@qradar ~]# iptables -L -n -t nat
    Chain PREROUTING (policy ACCEPT)
    target prot opt source destination
    DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
    Chain INPUT (policy ACCEPT)

    Is there any idea about the issue?
    Thanks


    ------------------------------
    Hasan Erhan AYDINOĞLU
    ------------------------------

    Original Message


  • 7.  RE: iptables prerouting to redirect port

    Posted Wed March 25, 2020 10:49 AM
    Hello! I don't know radar and I don't know why I should create an folder ! Whats going on here?




    Original Message


  • 8.  RE: iptables prerouting to redirect port

    Posted Wed March 25, 2020 02:53 PM
    Hi Qiao
    I think even it did not show the iptables rules it is redirecting traffic. I am now able to see the some events coming to port 517. But it should also show us in iptables -L -n -t nat command too.
    Thanks

    ------------------------------
    Hasan Erhan AYDINOĞLU
    ------------------------------

    Original Message


Related Content