Linux Iptables allow LDAPS outgoing client request via firewall

by on August 3, 2005 · 4 comments· LAST UPDATED August 3, 2005

in

Allow outgoing LDAPS client request from firewall host 202.54.1.20:
iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 1024:65535 -d 0/0 --dport 636 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp -s 0/0 --sport 636 -d 202.54.1.20 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 4 comments… read them below or add one }

1 Anonymous August 4, 2005 at 12:48 pm

Can I restrict LDAPS outgoing clinet request to subnet 192.168.0.0/24? If so please leeme know the rule

Thanks

Reply

2 Timothy Stone August 7, 2005 at 7:14 pm

The rule is nearly identical. iptables should take the network notation you noted:

iptables -A OUTPUT -p tcp -s 202.54.1.20 –sport 1024:65535 -d 192.168.0.0/24 –dport 636 -m state –state NEW,ESTABLISHED -j ACCEPT

You did say an outgoing request right? If you meant the opposite, switch the “-d” argument with the “-s” argument. As a side note, both “-d” and “-s” can be noted in long form with “–destination” or “–source”, respectively, making your rule more readable.

Also, the “-A” parameter “appends” a rule to an existing chain. Be careful you are not appending one rule that does something different from the rule you really want. You could end up with unintended “holes” in your firewall.

% sudo /sbin/iptables -L

Will tell you what is currently loaded in your iptables chain.

Reply

3 Anonymous August 8, 2005 at 5:48 pm

Thanks for explaining iptables rules. I’m new to Linux and Iptables.

Reply

4 Raul Dusa September 15, 2010 at 4:02 pm

I would like to add an easier rule with no LDAP server IP defined
/sbin/iptables -A OUTPUT -p udp –sport 1024:65535 –dport 389 -m state –state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp –sport 1024:65535 –dport 389 -m state –state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p udp –sport 1024:65535 –dport 636 -m state –state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp –sport 1024:65535 –dport 636 -m state –state NEW,ESTABLISHED -j ACCEPT

With the LDAP server IP where 10.101.1.100 is my LDAP server

/sbin/iptables -A OUTPUT -p udp -d 10.101.1.100 –sport 1024:65535 –dport 389 -m state –state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -d 10.101.1.100 –sport 1024:65535 –dport 389 -m state –state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p udp -d 10.101.1.100 –sport 1024:65535 –dport 636 -m state –state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -d 10.101.1.100 –sport 1024:65535 –dport 636 -m state –state NEW,ESTABLISHED -j ACCEPT

Reply

Leave a Comment

Previous post:

Next post: