Using iptables to redirect LDAP ports

Running directory servers on the standard ports 389 (LDAP) and 636 (LDAPS) has gone out of fashion. Everyone and his brother recommends using a couple of non-standard ports as “more secure”. Right.

Even if you can resist the sirens’ song of security “experts” pedalling the same old security-through-obscurity methods, the ports issue will raise its ugly head if you’re running server software that can only run on these under 1000 ports as root — as is the case with OpenDJ.

If you’re on Linux, you can use the REDIRECT method available via the iptables command to modify a host’s packet filtering rules so that connections to ports 389 and 636 are routed to ports above 1000.

The official doc for Red Hat’s implementation of iptables in the latest version of Red Hat Enterprise Linux can be found here.

Take this scenario:

An OpenDJ directory server is configured to listen on port 1389 for LDAP, and 1636 for LDAPS so that it can be run as an opendj system user. But you want to have outsiders connect to it over ports 389 and 636.

Note that the official doc does not cover this particular solution, but it is important to understand the concepts there before proceeding.

To solve this you need to add 6 lines to /etc/sysconfig/iptables. This can be done manually (not recommended by Red Hat) or using the iptables command with a final dump using iptables-save.

The iptables commands required are as follows:

iptables -t nat -I PREROUTING -p tcp --dport 389 -j REDIRECT --to-ports 1389
iptables -t nat -I PREROUTING -p tcp --dport 636 -j REDIRECT --to-ports 1636
iptables -I INPUT -p tcp -m tcp --dport 389 -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 1389 -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 636 -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 1636 -j ACCEPT

Regarding syntax: Just take “-I” to mean “Insert at top”, while “-A” means “Append to end” and things should work out as intended. Most (including the gui firewall app that ships with RHEL) put their main exclusion rules at the bottom of the table, so you’ll want to use the “-I” switch when adding your exception rules. Some manual adjustment may be needed later for either clarity or to tune the behavior of the firewall.

Here’s a copy of the iptables file from my home workstation. The lines that need to be added are highlighted. Note that you’ll need to restart iptables (“service iptables restart”) after editing the file.

DO NOT SIMPLY OVERWRITE YOUR OWN IPTABLES FILE WITH THIS TEXT. It will probably not work. You have been warned.

# Generated by iptables-save v1.4.14 on Wed Feb 27 01:31:22 2013
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp --dport 389 -j REDIRECT --to-ports 1389
-A PREROUTING -p tcp -m tcp --dport 636 -j REDIRECT --to-ports 1636
COMMIT
#
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 389 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1389 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 636 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1636 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Feb 27 01:31:22 2013

Some observations that may save others grief: (1) Be sure to open up both the standard port (e.g. port 636) and the real listening port (e.g. 1636) on the firewall; (2) Put the PREROUTING statement in the “nat” section, before the ACCEPT statements under “filter”. The order in which these commands load IS significant (beware the output of “iptables-save”, it does not always preserve the correct order); and (3) Finally, anticipate subtle differences in syntax between versions of iptables. Always check your configuration against the doc for the version (and distribution) you are running.

Your security policy may call for you to restrict access to LDAPS only, or to only allow specific hosts access to the directory server. Enabling iptables will allow you to comply with those policies while still retaining control over access to the directory service — instead of ceding control to your network security team (see my previous article on Simple iptables syntax for hints on how to restrict access to specific hosts or subnets).

This entry was posted in Uncategorized on by .

About phil

My name is Phil Lembo. In my day job I’m an enterprise IT architect for a leading distribution and services company. The rest of my time I try to maintain a semi-normal family life in the suburbs of Raleigh, NC. E-mail me at philipATlembobrothersDOTcom. The opinions expressed here are entirely my own and not those of my employers, past, present or future (except where I quote others, who will need to accept responsibility for their own rants).