Firewall with Beats

Threepwood · September 28, 2017, 2:41pm

Hello,

I just set up the elk suite
I installed filebeat on a client machine, but this one to iptables rules.
I have to fight with, I can not let pass filebeat.
if I disable the iptables, filebeat communicates perfectly.
someone would have a clear idea of the rules to set up for filebeat (specifying the ip of the machine elk) ?
Thank you for your help.

andrewkroh · September 28, 2017, 2:53pm

We would need a bit more context about how your other rules are setup, but in general you'll need a rule to allow outgoing TCP traffic to the destination server. For example, this would be to Logstash at 192.0.2.0:5044.

iptables --append OUTPUT --match tcp --protocol tcp --dst 192.0.2.1 --dport 5044 --jump ACCEPT

Threepwood · September 29, 2017, 9:07am

thank Andew,

I tested this rule, but it still does not work.
here is what I have in the logs (filebeat):

ipclient (IP address of the client machine with Filebeat)
ipserverELK (IP address of the destination server with the ELK suite)

2017-09-29T10:59:27+02:00 ERR Failed to publish events caused by: read tcp ipclient:55596->ipserverELK:5044: i/o timeout
2017-09-29T10:59:27+02:00 INFO Error publishing events (retrying): read tcp ipclient:55596->ipserverELK:5044: i/o timeout
2017-09-29T10:59:41+02:00 INFO Non-zero metrics in the last 30s: libbeat.logstash.publish.read_errors=1 libbeat.logstash.published_but_not_acked_events=2037

in my iptables rules, I have emptied everything, I left only that:

iptables -t filter -F
iptables -t filter -X
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT

iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT

thanks !

andrewkroh · September 29, 2017, 4:38pm

It looks like you have your DROP rules before any of your other rules so all packets in/out/forwarded are going to be dropped. Showing the rules using sudo iptables -L -n will show their true order. Typically you want the DROP rules to be last.

iptables -F
iptables -X
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -j DROP
iptables -A OUTPUT -o lo -j ACCEPT 
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A OUTPUT -m tcp -p tcp --dst [logstash_IP] --dport 5044 -j ACCEPT
iptables -A OUTPUT -j DROP
iptables -A FORWARD -j DROP

system · October 19, 2017, 2:42pm

This topic was automatically closed after 21 days. New replies are no longer allowed.