Configuring iptables (Opening LDAP Ports)
Some Linux distributions use an internal firewall service called
iptables. Often times the default rules of
iptables is very restrictive and will block LDAP/LDAPS
traffic on the default ports of 389 and 636. The following is an example
of how to update iptables to allow LDAP/LDAPS traffic:
Note for RedHad Users: The IPTables config is stored in /etc/sysconfig/iptables, and this is the file you have to update, otherwise the info will not be kept.
Export the current
iptablesrules and create a backup of the rules:sudo iptables-save > iptables.rules cp iptables.rules iptables.rules.bakOpen the iptables.rules file in a text editor and add the following:
#-------------- Start OpenLDAP config------------> -A INPUT -p tcp -m tcp --dport 389 -j ACCEPT -A INPUT -p tcp -m tcp --dport 636 -j ACCEPT #-------------- End OpenLDAP config--------------<The resulting file should look something like this:
# Generated by iptables-save v1.4.7 on Fri Nov 27 04:54:38 2015 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [192:19802] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT #-------------- Start OpenLDAP config------------> -A INPUT -p tcp -m tcp --dport 389 -j ACCEPT -A INPUT -p tcp -m tcp --dport 636 -j ACCEPT #-------------- End OpenLDAP config--------------< -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Fri Nov 27 04:54:38 2015Apply the new
iptablesrule to the server:sudo iptables-restore < iptables.rulesTest client access to the LDAP server using a utility like
ldapwhoamiorldapsearch. If there are any issues with the new rules, restore the original rules using the following:sudo iptables-restore < iptables.rules.bak