I am running 389 Directory Server on Fedora 14. When I use ldapsearch to connect to myserver.com:389 from localhost, it works fine. When I use ldapsearch to connect to myserver.com:389 from a different computer on the network and I have iptables running on the server, ldapsearch cannot connect to the server. When I turn off iptables on the server, ldapsearch on the other computer does connect to the server.
My iptables file is as follows:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -m tcp --dport 389 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 389 -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p tcp -m tcp --sport 389 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m udp --sport 389 -m state --state ESTABLISHED -j ACCEPT
COMMIT
How should I fix my iptables so that I can run LDAP?
Best Answer
You need to reorder the rules
-A INPUT -j REJECT --reject-with icmp-host-prohibited
precedes the allow lines
-A INPUT -p tcp -m tcp --dport 389 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 389 -m state --state NEW,ESTABLISHED -j ACCEPT
move "-A INPUT -j REJECT -reject-with icmp-host-prohibited " below the ACCEPT lines I mentioned and reload firewall.
you can try iptables-save > firewall
edit file firewall, move line as I suggested, save , exit
iptables-restore < firewall
voila.