iptables weird behavior after reboot

[kr-sudo]

Hello everybody!!!.

After a few days of hard work I have managed to deploy an SO (2.3.140 - onpremisse - iso version) that is ingesting events sent by various servers through syslog. I have allowed the servers source IP with so-allow/so-firewall, customized the pipelines, dashboards and everything was working fine, until a reboot has been done: only the logs of some servers are being ingested (same pipeline, same index...).

After some testing it seems that the traffic from some servers matches the iptables INPUT rule (and the traffic is dropped) and others the FORWARD rule (and the events are routed to elastic docker and ingested): same syslog format, same protocol (UDP), same port, etc... (verified with custom LOG rules in tcpdump and logs in messages). The first time i see this weird behavior.

The IPs of all the servers are in the chain DOCKER-USER with same config, and as can see, some rules match traffic and others don't, even though the traffic is arriving (verified with tcpdump)

   0     0 ACCEPT     udp  --  *      *       10.1.100.69          0.0.0.0/0            udp dpt:514
   0     0 ACCEPT     tcp  --  *      *       10.1.100.69          0.0.0.0/0            tcp dpt:514

2252K 440M ACCEPT udp -- * * 10.1.100.35 0.0.0.0/0 udp dpt:514
0 0 ACCEPT tcp -- * * 10.1.100.35 0.0.0.0/0 tcp dpt:514

Any idea what is happening? thank you all in advance and thanks for this great platform.

[after reboot and after seeing this behavior, I have tried restarting services (so-elastic-restart, so-elasticsearch-restart, removing and adding IPs (so-allow, so-firewall, so-firewall apply, iptables...)...]

[kr-sudo]

Done!!! Restart rsyslog on the servers and everything works fine again.

[kwwv]

@kr-sudo You restarted the rsyslog service on your manager? I have tried this (also restarted most services and rebooted the manager itself) but I still have dropped syslog traffic from "allowed" hosts. I as well have some valid syslog traffic sent to the docker container and other dropped (as seen in /var/log/kern.log).

[kr-sudo]

hi kwwv.

I restarted the rsyslog service of the webservers that send the events by syslog. Hope this can help you.