Date: 11-04-2022

Some Linux distributions use an internal firewall service called iptables. Often times the default rules of iptables is very restrictive and will block LDAP/LDAPS traffic on the default ports of 389 and 636. The following is an example of how to update iptables to allow LDAP/LDAPS traffic:

Note for RedHad Users: The IPTables config is stored in /etc/sysconfig/iptables, and this is the file you have to update, otherwise the info will not be kept.

Export the current iptables rules and create a backup of the rules:

sudo iptables-save > iptables.rules
cp iptables.rules iptables.rules.bak

Open the iptables.rules file in a text editor and add the following:

#-------------- Start OpenLDAP config------------>
-A INPUT -p tcp -m tcp --dport 389 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 636 -j ACCEPT
#-------------- End OpenLDAP config--------------<

The resulting file should look something like this:

# Generated by iptables-save v1.4.7 on Fri Nov 27 04:54:38 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [192:19802]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
#-------------- Start OpenLDAP config------------>
-A INPUT -p tcp -m tcp --dport 389 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 636 -j ACCEPT
#-------------- End OpenLDAP config--------------<
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Fri Nov 27 04:54:38 2015

Apply the new iptables rule to the server:

sudo iptables-restore < iptables.rules

Test client access to the LDAP server using a utility like ldapwhoami or ldapsearch. If there are any issues with the new rules, restore the original rules using the following:

sudo iptables-restore < iptables.rules.bak

See Also

• iptables(8) Man Page
• ldapwhoami(1) Man Page