Hello everyone,
I've looked up old threads and tried to find some applicable solution but I'm
kind of stuck so any advice would be appreciated.
I'm trying to deploy a new Freeipa installation, currently running on centos9
stream. I'm using iptables for firewall and I have allowed only certain IPs and
ports. My idea was to block port 80 and 443 for the whole world and allow only
certain IPs via the httpd config file by adding "Require IP 1.1.1.1"(example
ip) inside the <Directory "/var/www"> and <Directory "/var/www/html"> blocks.
That worked and I'm able to access the main page from that IP while other IPs
are not loading at all, however, when I try to login, the authentication
process is not going through.
Example log of fail:
[remote 1.1.1.1:60676] ipa: INFO: 401 Unauthorized:
HTTPConnectionPool(host='test.com', port=80): Max retries exceeded with url:
/ipa/session/cookie (Caused by
NewConnectionError('<urllib3.connection.HTTPConnection object at
0x7ffb12100d60>: Failed to establish a new connection: [Errno 110] Connection
timed out'))
For the iptables I have a script inputing the rules which looks like this:
/sbin/iptables -F
/sbin/iptables -A INPUT -s 127.0.0.0/24 -j ACCEPT
/sbin/iptables -A INPUT -s 1.1.1.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 389 -j ACCEPT
iptables -A INPUT -p udp --dport 389 -j ACCEPT
iptables -A INPUT -p tcp --dport 636 -j ACCEPT
iptables -A INPUT -p tcp --dport 88 -j ACCEPT
iptables -A INPUT -p udp --dport 88 -j ACCEPT
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -j DROP
/sbin/iptables-save
The question is, how to keep port 80 and 443 (the web access in general)
restricted only to certain IPs and not the whole world, while still being able
to use all functionalities of the freeipa server, like logging in and working
with the graphical UI?
*I have installed our own verified ssl certificate
Also for the ports, do I need to have 389,636 and 88 opened all the time and
how secure the services behind those ports are?
Any input would be appreciated.
Thank you
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
