IPTables rules for FreeIPA

Posted on by

I end up editing this so much, figure I’d post it here for all to use.  This is the standard IPtables config file augmented with those rules required to let through the protocols supported by FreeIPA

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

#TCP ports for FreeIPA
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443  -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 88  -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 464  -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 53  -j ACCEPT

#UDP ports for FreeIPA
-A INPUT -m state --state NEW -m udp -p udp --dport 88 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 464 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

7 thoughts on “IPTables rules for FreeIPA

  1. Hello,
    A more restrictive approach using conntrack I’ve been using:

    :INPUT DROP [0:0]
    :FORWARD DROP [0:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -m conntrack –ctstate INVALID -j DROP
    -A INPUT -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p icmp -m icmp –icmp-type 0 -j ACCEPT
    -A INPUT -p icmp -m icmp –icmp-type 3 -j ACCEPT
    -A INPUT -p icmp -m icmp –icmp-type 11 -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p tcp -m conntrack –ctstate NEW -m tcp -m multiport –dports 22,53,80,88,389,464,686,443 -j ACCEPT
    -A INPUT -p udp -m conntrack –ctstate NEW -m udp -m multiport –dports 53,88,123,464 -j ACCEPT
    -A INPUT -j LOG –log-prefix “IP DROP UNMATCHED: ”
    -A INPUT -j DROP
    COMMIT

    I can’t remember if freeIPA includes a firewalld snippet, I’ll check that later.
    Thanks!

  2. Thanks, David. Care to annotate that a bit? I suspect that people will be finding this response of yours useful, and it would be handy to have the explanation all in one place.

  3. OK, let me try 🙂
    First of all, please note that we’re dealing only with the filter
    table. No nat or mangle is/should be needed in a default freeIPA installation.
    Further restrictions can be implemented by DROPping also the OUTPUT
    using the security table, or by other means.

    DROP instead of ACCEPT (or REJECT): A direct quote from the DISA draft
    for RHEL6, “in iptables the default policy is applied only after all the
    applicable rules in the table are examined for a match. Setting the
    default policy to “DROP” implements proper design for a firewall, i.e.
    any packets which are not explicitly permitted should not be accepted.”
    Also, it makes it harder for port scanners to obtain useful info, as it
    drops the connection without giving a response.
    http://iase.disa.mil/stigs/os/unix/red_hat.html

    :INPUT DROP [0:0]
    :FORWARD DROP [0:0]
    :OUTPUT ACCEPT [0:0]

    Why conntrack? It allows for a very simple sanity check, can be useful
    when combined with the contrack(8) tool, and it’s supposed to obsolete
    the state module. (Doesn’t Fedora 18 already issue a deprecation warning?)
    http://www.spinics.net/lists/netfilter/msg46832.html

    -A INPUT -m conntrack –ctstate INVALID -j DROP
    -A INPUT -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT

    Accepted ICMP types. I probably shouldn’t have posted this “as is”, as it
    is a personal choice, valid for an specific scenario.
    The idea here is restricting the ICMP traffic to the minimum types
    and/or codes; note that ICMP types 1,2,7 are unassigned, 4-6,15-18,30-39
    are deprecated, some other are reserved or experimental.
    Also, note the security recommendations found in the DISA document cited above
    and others (NSA, …) with regards to ICMP redirects.
    https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xml

    -A INPUT -p icmp -m icmp –icmp-type 0 -j ACCEPT
    -A INPUT -p icmp -m icmp –icmp-type 3 -j ACCEPT
    -A INPUT -p icmp -m icmp –icmp-type 11 -j ACCEPT

    Accept all local traffic. As a curiosity (at least it was surprising for me
    when I learn of it), local traffic goes through the lo interface regardless
    the local IP used.

    -A INPUT -i lo -j ACCEPT

    Multiport module. It accepts up to 15 ports, enough for an IPA
    server, gives less lines to edit, and the info regarding what
    is what can still be easily obtained elsewhere:

    # getent services 22 53 53/udp 80 88 88/udp 123/udp 389 464 646/udp 686 443
    ssh 22/tcp
    domain 53/tcp
    domain 53/udp
    http 80/tcp www www-http
    kerberos 88/tcp kerberos5 krb5
    kerberos 88/udp kerberos5 krb5
    ntp 123/udp
    ldap 389/tcp
    kpasswd 464/tcp kpwd
    ldp 646/udp
    hcp-wismar 686/tcp
    https 443/tcp

    -A INPUT -p tcp -m conntrack –ctstate NEW -m tcp -m multiport –dports 22,53,80,88,389,464,686,443 -j ACCEPT
    -A INPUT -p udp -m conntrack –ctstate NEW -m udp -m multiport –dports 53,88,123,464 -j ACCEPT

    Optionally, you might want to know if you’re consistently dropping some traffic.

    -A INPUT -j LOG –log-prefix “IP DROP UNMATCHED: ”

    After that, drop it all.

    -A INPUT -j DROP
    COMMIT

    Hope it’s useful.
    P.S. I’ve used some formatting tags in the hope they’ll be recognized, if that’s not the case, please feel free to edit the post. Thank you very much for the feedback.

  4. Hi David, Adam

    This has been immensely useful. Thanks a lot! I’m wondering also what the default rules should be for an IPA client to have open if necessary?

    Thanks!

  5. I don’t think there are any: the ipa_client doesn’t set up and servers, so all default firewalling should work as is. Unless you are running a firewall rule that limits outgoing connections (maybe some sort of virus checker?) you shouldn’t need to modify your firewall.

  6. Hi Adam,

    I think you’re missing the ports for the ip-replica* commands

    Using your rule set none of the replica commands seem to work (with iptables off it will)

    eg.
    ipa-csreplica-manage re-initialize –from ipa01
    Directory Manager password:

    Can’t contact LDAP server

    Cheers,
    Andrew.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.