solaris ldap client problem with iptables
I have an openLDAP server which I am trying to secure using an iptables firewall. I have allowed incoming tcp and udp packets to 389 and 686 (I think) and Linux clients can authenticate with the firewall enabled.
My solaris clients (using the Solaris LDAP client) can not authenticate with the firewall enabled. Any idea what additional rules I need to define to enable both Linux and solaris ldap clients to work?
[428 byte] By [
miedwarda] at [2007-11-26 14:44:15]
# 3
After some poking around I got the firewall to log the dropped packets and got a workaround.
The Solaris LDAP client was sending tcp packets to port 636 from
really high port numbers in a way that is different from Linux. I found this rule which allowed both the Solaris and Linux clients to work at the same time.
$IPTABLES -A INPUT -i $EXT_IFACE -p tcp -s 0/0 --sport 1024:65535 --dport 636 -m state --state NEW,ESTABLISHED -j ACCEPT
(from http://www.cyberciti.biz/tips/linux-iptables-allow-ldaps-server-incoming-client -request.html)
The syntax on the linked page is slightly wrong (old version perhaps), but the idea seems correct. What I still don't understand is why the rule I was using before (which is similar) does not work...
#Allow all Established and Related connections ("stateful" firewall)
$IPTABLES -A INPUT -i $EXT_IFACE -d $EXT_IP \
-m state --state ESTABLISHED,RELATED -j ACCEPT
#This rule allows the linux boxes to connect but not the Sun boxes
#I would think this rule along with the stateful ACCEPT above would
# be equivalent to the line that works
$IPTABLES -A INPUT -i $EXT_IFACE -p tcp -m tcp --sport 1024:65535 --dport 686 -j ACCEPT
