Iptables rules for graylog

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:

I have opened port 9000 on iptables but still I am not able access GUI.
If I am turning off iptables then I can access GUI.

Below are the rules I have setup on iptables.
**-A RH-Firewall-1-INPUT -i eth0 -p tcp -m multiport --dports 9000,12201 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
**

**
-A RH-Firewall-1-OUTPUT -o eth0 -p tcp -m multiport --sports 9000,12201 -m conntrack --ctstate ESTABLISHED -j ACCEPT
**

The system doesn’t have Selinux

2. Describe your environment:

  • OS Information:
    Centos 8.4
  • Package Version:
    4.2
  • Service logs, configurations, and environment variables:

3. What steps have you already taken to try and solve the problem?

Stopped iptables and it worked.

4. How can the community help?
Please help with the iptables rules which is needed to be put.
I think I am putting the right rules but its not working.

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

Hello,

If this is a cluster I think you missing a couple ports as shown here, This would depend on how the firewall is configured.

I assume you created a new chain called RH-Firewall-1-INPUT? Or did you rename the INPUT chain?

As for IPTABLES commands perhaps try one of these.

IPTABLES -A INPUT -i eth0 -p tcp -m tcp --dport 9000 -m state --state NEW,ESTABLISHED -j ACCEPT
Or 
IPTABLES -A INPUT -p tcp -m tcp --dport 9000 -j ACCEPT

Have you check the logs ?

The iptables log file is found at either /var/log/syslog (Ubuntu and similar OSs) or /var/log/messages (CentOS and similar OSs).

Is it possible to show all the iptables configuration?

On another note, if iptables is configure like this Chain INPUT (policy DROP)

Make sure you have DNS, NTP, etc… ports opened also.

I’m assuming the connection between Graylog and Elasticsearch is default ( i.e. localhost).?

EDIT: I forgot to ask after execute you iptables command, I assume you saved it and restarted IPTABLES service?

This is not a cluster. Its a standalone Graylog setup.

Yes I created a new chain .

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-OUTPUT  all  --  anywhere             anywhere

I added below IP rule but still getting same issue.

INPUT -i eth0 -p tcp -m tcp --dport 9000 -m state --state NEW,ESTABLISHED -j ACCEPT

I dont see any log specific to iptables issue in /var/log/messages.
Below is the complete iptables

[root@j3chyvmsysl01 ~]# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N RH-Firewall-1-INPUT
-N RH-Firewall-1-OUTPUT
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A OUTPUT -j RH-Firewall-1-OUTPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 514 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 514 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --sport 123 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 161 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 8000 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 8089 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --sport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --sport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -p tcp -m tcp --sport 389 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -p udp -m udp --sport 389 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -p udp -m udp --sport 88 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -p udp -m udp --dport 88 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -p tcp -m tcp --sport 88 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -p tcp -m tcp --dport 88 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -p tcp -m tcp --sport 445 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -p tcp -m tcp --dport 445 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -p tcp -m tcp --sport 3268 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -p tcp -m tcp --dport 3268 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --sport 635 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --sport 635 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -i eth0 -p tcp -m multiport --dports 9000,12201 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -p tcp -m tcp --dport 9000 -m state --state NEW,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-OUTPUT -p udp -m udp --sport 123 -j ACCEPT
-A RH-Firewall-1-OUTPUT -p udp -m udp --sport 161 -j ACCEPT
-A RH-Firewall-1-OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-OUTPUT -p tcp -m tcp --dport 8099 -j ACCEPT
-A RH-Firewall-1-OUTPUT -o eth0 -p udp -m udp --dport 389 -j ACCEPT
-A RH-Firewall-1-OUTPUT -o eth0 -p tcp -m tcp --dport 389 -j ACCEPT
-A RH-Firewall-1-OUTPUT -o eth0 -p udp -m udp --dport 88 -j ACCEPT
-A RH-Firewall-1-OUTPUT -o eth0 -p tcp -m tcp --dport 88 -j ACCEPT
-A RH-Firewall-1-OUTPUT -o eth0 -p tcp -m tcp --sport 88 -j ACCEPT
-A RH-Firewall-1-OUTPUT -o eth0 -p udp -m udp --sport 88 -j ACCEPT
-A RH-Firewall-1-OUTPUT -o eth0 -p tcp -m tcp --dport 445 -j ACCEPT
-A RH-Firewall-1-OUTPUT -o eth0 -p tcp -m tcp --sport 445 -j ACCEPT
-A RH-Firewall-1-OUTPUT -o eth0 -p tcp -m tcp --dport 3268 -j ACCEPT
-A RH-Firewall-1-OUTPUT -o eth0 -p tcp -m tcp --dport 3268 -j ACCEPT
-A RH-Firewall-1-OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 635 -j ACCEPT
-A RH-Firewall-1-OUTPUT -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --dport 635 -j ACCEPT
-A RH-Firewall-1-OUTPUT -o eth0 -p tcp -m tcp --dport 464 -j ACCEPT
-A RH-Firewall-1-OUTPUT -o eth0 -p udp -m udp --dport 464 -j ACCEPT
-A RH-Firewall-1-OUTPUT -o eth0 -p tcp -m multiport --sports 9000,12201 -m conntrack --ctstate ESTABLISHED -j ACCEPT

Yes after adding iptables I save it and restart iptables service.

Hello,

Have you look in other logs files in this directory?

/var/log

Not sure if this would make a difference but have you tried removing this old iptables config and only using one of those I showed above?

get Line number

sudo iptables -L --line-numbers

The delete that line

sudo iptables -D INPUT some_number

Not sure if this would help but here is mine ( INPUT), I do have a lot going on thou. I also configure logging for dropped packets.

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N LOGINPUT
-N LOGOUTPUT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -i eth0 -p tcp -m tcp --dport 9912 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource
-A INPUT -i eth0 -p tcp -m tcp --dport 9912 -m state --state NEW -m recent --update --seconds 300 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP
-A INPUT -i eth0 -p tcp -m tcp --dport 9912 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 123 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 443 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 10050 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 10051 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 51430 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 51412 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 51420 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 51466 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 51440 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 51411 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 27017 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 27018 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -j LOGINPUT
-A INPUT -i eth0 -p tcp -m tcp --dport 9000 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 51430 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 10.10.10.10/32 -p tcp -m tcp --dport 9300:9400 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 389 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 389 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -s 10.10.11.11/32 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 50440 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 50440 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 2055 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 2055 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 5987 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 2055 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 51415 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 5044 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 5044 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 51420 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 4739 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 5044 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 5044 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 51415 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 5044 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 51420 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 5044 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 4739 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 3000 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 9091 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 9833 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 3306 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -s 10.10.10.10/32 -p tcp -m tcp --dport 9300:9400 -j ACCEPT
-A INPUT -s 10.10.10.10/32 -p tcp -m tcp --dport 9200 -j ACCEPT
## Dropped Packets
-A LOGINPUT -m limit --limit 4/min -j LOG --log-prefix "DROP INPUT: "
-A LOGOUTPUT -m limit --limit 4/min -j LOG --log-prefix "DROP OUTPUT: 

I removed older iptables and just kept the rule you suggested.
But still no difference.
Not sure whats wrong here.

I have to implement port forwarding from 514 to 1514 so I cant just stop iptables.

In graylog logs, I dont see any error. Obviously as its a iptables blocking and graylog is functioning normally.

Hello,

Sometime you may get a info, warning or error on a issue that may lead to why this connection is failing. Like permissions etc…

What I showed above works in my environment not sure why you don’t get a connection. If your using Chrome check the front end with Developer Tools. Maybe you can find a clue on what’s going on.

When Iptables is enable what do you see after executing this?

lsof -Pni :9000

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.