[EMAIL PROTECTED] wrote:
We have a server running in a DMZ servicing intranet and extranet.In the past we have blocked all traffic originating on the server from the two internal networks we run (eth1 and eth2) but have accepted traffic coming from the networks outside of the server. Eth0 is the direct connection to the internet and a solid state firewall looks after port redirection to eth0. No traffic is blocked on eth0 so that we can apply patches and updates to the server (Mandriva 2007). The tables below have done the job. We now need to allow access to port 389 (Active Director) only, from the DMZ server to an AD server on eth2. I am no good at this and was wondering if someone could suggest the change/changes to the rules below to allow this to happen. |-------| eth2-->-| |---eth0 <--> Internet eth1-->-| | |-------| iptables -A INPUT -m state --state NEW -i eth2 -j ACCEPT iptables -A INPUT -m state --state NEW -i eth1 -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth2 -j ACCEPT iptables -A INPUT -i eth1 -j ACCEPT iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth2 -j DROP iptables -A OUTPUT -o eth1 -j DROP
This was not the question but it seems to me that the first 2 rules and rules 4 and 5 are duplicates in that rules 4 and 5 would accept anything the first 2 do. Rules 4 and 5 basically allow any packet coming in on eth1 and eth2 regardless of source/port/protocol/state.
I am making a lot of assumptions about the rest of the rules and default policies and other things but something like
iptables -A OUTPUT -o eth2 -d ip.address.of.adserver -p !icmp --dport ldap -j ACCEPT
placed before the second last line above (the "...-o eth2 -j DROP" line) should do it. In plain english this says
Allow any packet going out on interface eth2 whose destination (-d) is ip.address.of.adserver and whose protocol (-p) is not icmp (!icmp) and whose destination port (--dport) is that of the ldap entry in /etc/services.
To be safe you could put 389 instead of ldap after --port. There may be other ports you may need to let through such as 135 (MS-RPC) depending on your purpose/configuration. I also know very little about AD.
Fil -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
