title: fun with iptables link: https://onemoretech.wordpress.com/2009/05/02/fun-with-iptables/ author: lembobro description: post_id: 328 created: 2009/05/02 13:49:22 created_gmt: 2009/05/02 13:49:22 comment_status: open post_name: fun-with-iptables status: publish post_type: post

fun with iptables

One of the shortcomings of Apache DS that I’ve discovered is it can’t run on port 389 (LDAP) or 636 (LDAPS) as anything other than the system root user. The developers claim this is because there’s no mechanism in Java that allows them to switch user privileges once the service has started. That’s an assertion which requires some research.

Anyone who is reading this will already know 2 basic facts of Unix administration: (a) Ports 1024 and below are privileged and can only be opened by a daemon running as root; and (b) running a service daemon like an LDAP server as root is a security no-no. The way we normally get around this is to first fire up a daemon as root and then switch to a less-privileged user from that point forward. The Apache DS developers say they can’t make their software work that way.

Huge problem. Ports 389 and 636 are called “well-known” ports for a reason. Putting aside all the claptrap you’ll hear from supposed “experts” that LDAP services should be run on nonstandard ports (which is the kind of “security through obscurity” nonsense that has time and time again led to utter disaster), there are real benefits to following, er… standards. In my experienced lack of standardization is the number one cause of not only system failure, but also of failure to recover quickly and efficiently from such failure.

The only solution proposed on the lists that made any sense from a security standpoint was one to fire up **iptables`** and use NAT to redirect incoming requests for the LDAP and LDAPS ports (usually 389 and 636 respectively) to the ports Apache DS is listening on (by default 10389 and 10636). Being pretty deep in at this point, I decided to give it a try, and learned a lot about how the system firewall works on Ubuntu in the process.

First, the basics. Ubuntu comes with a command-line front end to iptables out of the box, called ufw. The link is to the latest Ubuntu manpage for the software. There’s also a pretty good section on this in the latest Ubuntu Server Guide. All commands described here must be performed as root, or a user with admin rights under sudo.

To begin you need to enable iptables, if not already engaged (on initial install I always opt out of turning on the firewall). Do this by issuing the following command:

ufw enable

Unless you really want to restrict access to your host by a “personal” firewall, you can keep things wide open with the command:

ufw default allow

While it’s a good way to actually turn on iptables and store some basic rules for persistent use, ufw is a blunt instrument for more advanced firewall work. To add the rules needed to redirect clients from port 389 to 10389, you’ll need to use the iptables command.

** iptables -t nat -A PREROUTING -p tcp -d 10.1.20.101 –dport 389 REDIRECT –to-port 10389**

Note that rather than an IP address or hostname, you might find it preferable to specify an interface (e.g. -i eth0) in the above command.

For LDAPS substitute ports 636 and 10636 above.

In order to be able to check things from the server itself you can add rules that allow addressing things to localhost from there:

iptables -A OUTPUT -t nat -p tcp -d 127.0.0.1 –dport 389 -j REDIRECT –to-port 10389

To remove rules from iptables you need to run iptables with the “-D” switch. The safest procedure is first to get the line numbers for the rules you need to remove. For example:

iptables -L -t nat --line-numbers

For the rules previously set up above, you should see something like:

me@test:~$ sudo iptables -L -t nat –line-numbers
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 REDIRECT tcp — anywhere test.example.com tcp dpt:ldap redir ports 10389
2 REDIRECT tcp — anywhere test.example.com tcp dpt:ldaps redir ports 10636

Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 REDIRECT tcp — anywhere localhost tcp dpt:ldap redir ports 10389
2 REDIRECT tcp — anywhere localhost tcp dpt:ldaps redir ports 10636

Then run the command to delete by chain (either PREROUTING, POSTROUTING or OUTPUT) and rule number. For example:

iptables -D -t nat PREROUTING 2

Keep in mind that if you were to start by deleting rule #1, the rule just below it becomes rule #1. A good practice is to relist things after each delete to avoid confusion (and deleting something you want to keep!).

Copyright 2004-2019 Phil Lembo