Linux Iptables allow LDAPS outgoing client request via firewall

Allow outgoing LDAPS client request from firewall host 202.54.1.20:
iptables -A OUTPUT -p tcp -s 202.54.1.20 –sport 1024:65535 -d 0/0 –dport 636 -m state –state NEW,ESTABLISHED -j ACCEPT

ADVERTISEMENTS

iptables -A INPUT -p tcp -s 0/0 –sport 636 -d 202.54.1.20 –dport 1024:65535 -m state –state ESTABLISHED -j ACCEPT

🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source & DevOps topics via:
CategoryList of Unix and Linux commands
File Managementcat
FirewallCentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNCentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
4 comments… add one
  • Anonymous Aug 4, 2005 @ 12:48

    Can I restrict LDAPS outgoing clinet request to subnet 192.168.0.0/24? If so please leeme know the rule

    Thanks

  • Timothy Stone Aug 7, 2005 @ 19:14

    The rule is nearly identical. iptables should take the network notation you noted:

    iptables -A OUTPUT -p tcp -s 202.54.1.20 –sport 1024:65535 -d 192.168.0.0/24 –dport 636 -m state –state NEW,ESTABLISHED -j ACCEPT

    You did say an outgoing request right? If you meant the opposite, switch the “-d” argument with the “-s” argument. As a side note, both “-d” and “-s” can be noted in long form with “–destination” or “–source”, respectively, making your rule more readable.

    Also, the “-A” parameter “appends” a rule to an existing chain. Be careful you are not appending one rule that does something different from the rule you really want. You could end up with unintended “holes” in your firewall.

    % sudo /sbin/iptables -L

    Will tell you what is currently loaded in your iptables chain.

  • Anonymous Aug 8, 2005 @ 17:48

    Thanks for explaining iptables rules. I’m new to Linux and Iptables.

  • Raul Dusa Sep 15, 2010 @ 16:02

    I would like to add an easier rule with no LDAP server IP defined
    /sbin/iptables -A OUTPUT -p udp –sport 1024:65535 –dport 389 -m state –state NEW,ESTABLISHED -j ACCEPT
    /sbin/iptables -A OUTPUT -p tcp –sport 1024:65535 –dport 389 -m state –state NEW,ESTABLISHED -j ACCEPT
    /sbin/iptables -A OUTPUT -p udp –sport 1024:65535 –dport 636 -m state –state NEW,ESTABLISHED -j ACCEPT
    /sbin/iptables -A OUTPUT -p tcp –sport 1024:65535 –dport 636 -m state –state NEW,ESTABLISHED -j ACCEPT

    With the LDAP server IP where 10.101.1.100 is my LDAP server

    /sbin/iptables -A OUTPUT -p udp -d 10.101.1.100 –sport 1024:65535 –dport 389 -m state –state NEW,ESTABLISHED -j ACCEPT
    /sbin/iptables -A OUTPUT -p tcp -d 10.101.1.100 –sport 1024:65535 –dport 389 -m state –state NEW,ESTABLISHED -j ACCEPT
    /sbin/iptables -A OUTPUT -p udp -d 10.101.1.100 –sport 1024:65535 –dport 636 -m state –state NEW,ESTABLISHED -j ACCEPT
    /sbin/iptables -A OUTPUT -p tcp -d 10.101.1.100 –sport 1024:65535 –dport 636 -m state –state NEW,ESTABLISHED -j ACCEPT

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.