Allow outgoing LDAPS client request from firewall host 202.54.1.20:
iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 1024:65535 -d 0/0 --dport 636 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 636 -d 202.54.1.20 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
You should follow me on twitter here or grab rss feed to keep track of new changes.
Featured Articles:
- 30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X
- Top 30 Nmap Command Examples For Sys/Network Admins
- 25 PHP Security Best Practices For Sys Admins
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- Linux: 20 Iptables Examples For New SysAdmins
- Top 20 OpenSSH Server Best Security Practices
- Top 20 Nginx WebServer Best Security Practices
- 20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors
- 15 Greatest Open Source Terminal Applications Of 2012
- My 10 UNIX Command Line Mistakes
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- The Novice Guide To Buying A Linux Laptop
{ 4 comments… read them below or add one }
Can I restrict LDAPS outgoing clinet request to subnet 192.168.0.0/24? If so please leeme know the rule
Thanks
The rule is nearly identical. iptables should take the network notation you noted:
iptables -A OUTPUT -p tcp -s 202.54.1.20 –sport 1024:65535 -d 192.168.0.0/24 –dport 636 -m state –state NEW,ESTABLISHED -j ACCEPT
You did say an outgoing request right? If you meant the opposite, switch the “-d” argument with the “-s” argument. As a side note, both “-d” and “-s” can be noted in long form with “–destination” or “–source”, respectively, making your rule more readable.
Also, the “-A” parameter “appends” a rule to an existing chain. Be careful you are not appending one rule that does something different from the rule you really want. You could end up with unintended “holes” in your firewall.
% sudo /sbin/iptables -L
Will tell you what is currently loaded in your iptables chain.
Thanks for explaining iptables rules. I’m new to Linux and Iptables.
I would like to add an easier rule with no LDAP server IP defined
/sbin/iptables -A OUTPUT -p udp –sport 1024:65535 –dport 389 -m state –state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp –sport 1024:65535 –dport 389 -m state –state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p udp –sport 1024:65535 –dport 636 -m state –state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp –sport 1024:65535 –dport 636 -m state –state NEW,ESTABLISHED -j ACCEPT
With the LDAP server IP where 10.101.1.100 is my LDAP server
/sbin/iptables -A OUTPUT -p udp -d 10.101.1.100 –sport 1024:65535 –dport 389 -m state –state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -d 10.101.1.100 –sport 1024:65535 –dport 389 -m state –state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p udp -d 10.101.1.100 –sport 1024:65535 –dport 636 -m state –state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -d 10.101.1.100 –sport 1024:65535 –dport 636 -m state –state NEW,ESTABLISHED -j ACCEPT