Firewall with Beats


#1

Hello,

I just set up the elk suite
I installed filebeat on a client machine, but this one to iptables rules.
I have to fight with, I can not let pass filebeat.
if I disable the iptables, filebeat communicates perfectly.
someone would have a clear idea of ​​the rules to set up for filebeat (specifying the ip of the machine elk) ?
Thank you for your help.


(Andrew Kroh) #2

We would need a bit more context about how your other rules are setup, but in general you'll need a rule to allow outgoing TCP traffic to the destination server. For example, this would be to Logstash at 192.0.2.0:5044.

iptables --append OUTPUT --match tcp --protocol tcp --dst 192.0.2.1 --dport 5044 --jump ACCEPT


#3

thank Andew,

I tested this rule, but it still does not work.
here is what I have in the logs (filebeat):

ipclient (IP address of the client machine with Filebeat)
ipserverELK (IP address of the destination server with the ELK suite)

2017-09-29T10:59:27+02:00 ERR Failed to publish events caused by: read tcp ipclient:55596->ipserverELK:5044: i/o timeout
2017-09-29T10:59:27+02:00 INFO Error publishing events (retrying): read tcp ipclient:55596->ipserverELK:5044: i/o timeout
2017-09-29T10:59:41+02:00 INFO Non-zero metrics in the last 30s: libbeat.logstash.publish.read_errors=1 libbeat.logstash.published_but_not_acked_events=2037

in my iptables rules, I have emptied everything, I left only that:

iptables -t filter -F
iptables -t filter -X
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT

iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT

thanks !


(Andrew Kroh) #4

It looks like you have your DROP rules before any of your other rules so all packets in/out/forwarded are going to be dropped. Showing the rules using sudo iptables -L -n will show their true order. Typically you want the DROP rules to be last.

iptables -F
iptables -X
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -j DROP
iptables -A OUTPUT -o lo -j ACCEPT 
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A OUTPUT -m tcp -p tcp --dst [logstash_IP] --dport 5044 -j ACCEPT
iptables -A OUTPUT -j DROP
iptables -A FORWARD -j DROP

(system) #5

This topic was automatically closed after 21 days. New replies are no longer allowed.