Running directory servers on the standard ports 389 (LDAP) and 636 (LDAPS) has gone out of fashion. Everyone and his brother recommends using a couple of non-standard ports as “more secure”. Right.
Even if you can resist the sirens’ song of security “experts” pedalling the same old security-through-obscurity methods, the ports issue will raise its ugly head if you’re running server software that can only run on these under 1000 ports as root — as is the case with OpenDJ.
If you’re on Linux, you can use the REDIRECT method available via the iptables command to modify a host’s packet filtering rules so that connections to ports 389 and 636 are routed to ports above 1000.
The official doc for Red Hat’s implementation of iptables in the latest version of Red Hat Enterprise Linux can be found here.
Take this scenario:
An OpenDJ directory server is configured to listen on port 1389 for LDAP, and 1636 for LDAPS so that it can be run as an opendj system user. But you want to have outsiders connect to it over ports 389 and 636.
Note that the official doc does not cover this particular solution, but it is important to understand the concepts there before proceeding.
To solve this you need to add 6 lines to /etc/sysconfig/iptables. This can be done manually (not recommended by Red Hat) or using the iptables command with a final dump using iptables-save.
The iptables commands required are as follows:
iptables -t nat -I PREROUTING -p tcp --dport 389 -j REDIRECT --to-ports 1389 iptables -t nat -I PREROUTING -p tcp --dport 636 -j REDIRECT --to-ports 1636 iptables -I INPUT -p tcp -m tcp --dport 389 -j ACCEPT iptables -I INPUT -p tcp -m tcp --dport 1389 -j ACCEPT iptables -I INPUT -p tcp -m tcp --dport 636 -j ACCEPT iptables -I INPUT -p tcp -m tcp --dport 1636 -j ACCEPT
Regarding syntax: Just take “-I” to mean “Insert at top”, while “-A” means “Append to end” and things should work out as intended. Most (including the gui firewall app that ships with RHEL) put their main exclusion rules at the bottom of the table, so you’ll want to use the “-I” switch when adding your exception rules. Some manual adjustment may be needed later for either clarity or to tune the behavior of the firewall.
Here’s a copy of the iptables file from my home workstation. The lines that need to be added are highlighted. Note that you’ll need to restart iptables (“service iptables restart”) after editing the file.
DO NOT SIMPLY OVERWRITE YOUR OWN IPTABLES FILE WITH THIS TEXT. It will probably not work. You have been warned.
# Generated by iptables-save v1.4.14 on Wed Feb 27 01:31:22 2013 *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A PREROUTING -p tcp -m tcp --dport 389 -j REDIRECT --to-ports 1389 -A PREROUTING -p tcp -m tcp --dport 636 -j REDIRECT --to-ports 1636 COMMIT # *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 389 -j ACCEPT -A INPUT -p tcp -m tcp --dport 1389 -j ACCEPT -A INPUT -p tcp -m tcp --dport 636 -j ACCEPT -A INPUT -p tcp -m tcp --dport 1636 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Wed Feb 27 01:31:22 2013
Some observations that may save others grief: (1) Be sure to open up both the standard port (e.g. port 636) and the real listening port (e.g. 1636) on the firewall; (2) Put the PREROUTING statement in the “nat” section, before the ACCEPT statements under “filter”. The order in which these commands load IS significant (beware the output of “iptables-save”, it does not always preserve the correct order); and (3) Finally, anticipate subtle differences in syntax between versions of iptables. Always check your configuration against the doc for the version (and distribution) you are running.
Your security policy may call for you to restrict access to LDAPS only, or to only allow specific hosts access to the directory server. Enabling iptables will allow you to comply with those policies while still retaining control over access to the directory service — instead of ceding control to your network security team (see my previous article on Simple iptables syntax for hints on how to restrict access to specific hosts or subnets).