On 13/08/2012 07:47, Qian Zhang wrote:
Hi All,
I have a RHEL 6.2 machine which is set up as an OpenLDAP client, and I can log into it with LDAP user. Now for security concern, I need to prohibit any not-root user to access the network:
# /etc/init.d/iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination
Chain FORWARD (policy ACCEPT) num target prot opt source destination
Chain OUTPUT (policy ACCEPT) num target prot opt source destination 1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 ! owner UID match 0 reject-with icmp-port-unreachable
But if I did this in iptables, LDAP has problems, "getent passwd" can not get any LDAP users, and I can no longer log into this machine with LDAP user. So I think I need to open LDAP ports in iptables, what I did is: # /etc/init.d/iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination
Chain FORWARD (policy ACCEPT) num target prot opt source destination
Chain OUTPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:389 dpt:389 2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:389 dpt:389 3 REJECT all -- 0.0.0.0/0 0.0.0.0/0 ! owner UID match 0 reject-with icmp-port-unreachable
But it did not work, any ports I missed? Or what I set up in iptables are not correct? My /etc/openldap/ldap.conf:
URI ldap://172.17.27.159:389 BASE dc=base,dc=com TLS_CACERTDIR /etc/openldap/cacerts
Allow connections too localhost for uid0 then block to anything else