[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How to enable LDAP ports in iptables for OpenLDAP client node




On 13/08/2012 07:47, Qian Zhang wrote:
Hi All,

I have a RHEL 6.2 machine which is set up as an OpenLDAP client, and I
can log into it with LDAP user.
Now for security concern, I need to prohibit any not-root user to
access the network:

# /etc/init.d/iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
1    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           !
owner UID match 0 reject-with icmp-port-unreachable

But if I did this in iptables, LDAP has problems, "getent passwd" can
not get any LDAP users, and I can no longer log into this machine with
LDAP user. So I think I need to open LDAP ports in iptables, what I
did is:
# /etc/init.d/iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
spt:389 dpt:389
2    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp
spt:389 dpt:389
3    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           !
owner UID match 0 reject-with icmp-port-unreachable


But it did not work, any ports I missed? Or what I set up in iptables
are not correct? My /etc/openldap/ldap.conf:

URI ldap://172.17.27.159:389
BASE dc=base,dc=com
TLS_CACERTDIR /etc/openldap/cacerts

Allow connections too localhost for uid0 then block to anything else

--
Thank you,

Mark Adrian Coetser
mark@pkfnet.co.za