Results 1 to 5 of 5

Thread: Firewall (iptables) rules for block LDAP access from outside?

  1. #1
    Join Date
    May 2008
    Location
    Germany
    Posts
    3
    Rep Power
    7

    Default Firewall (iptables) rules for block LDAP access from outside?

    I've got a Zimbra Server sucessfully running on the internet as a mail and collaboration server for some kind of "distributed company". Zimbra really does that job great altogether. The only thing what is still bugging me is the public accessible LDAP directory, on which there exist already some threads.

    As I don't need to have any users access the LDAP directory over the internet, I'd like to block LDAP access completely from the internet, so only the Zimbra server itself can still access the directory for use with the web client etc.
    For this, I tried to set my iptables firewall up to allow only loopback and the servers own IP to contact the LDAP daemon. This seemed to work at first, but ended up with having a 16GB(!) logfile within 2 days because of a lot of java exception lines like this:

    Caused by: javax.naming.CommunicationException: myhostname.de:389 [Root exception is java.net.ConnectException: Connection refused]
    (Trace following...)

    I suppose that I'm not the only one who ever tried to solve that security problem, so I'd like to ask you out there, what are your firewall rules, which let LDAP do its work and still prevent spammers from reading the directory out?

    Thanks in advance,
    phlo

  2. #2
    Join Date
    May 2007
    Location
    Oklahoma
    Posts
    703
    Rep Power
    9

    Default

    I use Webmin with my SuSE 10.2 distro to manage my IP tables. It works great with other distro's as well. My way of approaching the Firewall on my to exposed ZCS servers is to start by blocking all incoming traffic to the external WAN NIC and then insert a rule to accept for only the ports needed for mail access. I have an internal NIC as well that I leave completely open and of course the loopback needs completely open.

    allow ports 25, 465, 110, 995, 80, and 443. These are the only ports needed to be open for the mail server to work. If you have other services you may need other ports.

    This configuration will prevent access to your LDAP from the outside world.

  3. #3
    Join Date
    May 2008
    Location
    Germany
    Posts
    3
    Rep Power
    7

    Default

    Bill, thanks for your answer. I did it basically exactly the same way. Blocked all incoming, then allowed everything on loopback, and subsequently opened only those ports on the internet NIC I wanted to have open (22, 25, 465, 995, 443, 7071).

    It seemed to work quite well, all functionality was ok, until I ran out of hdd space as the log file filled with exceptions generated by the unsuccessfull connections to the ldap. Interestingly, the failing connection wasn't directed to loopback (127.0.0.1 or localhost), but to the public hostname/fqdn of the mail server. I tried to allow all connections which originate from the servers own IP, too, but this made no difference at all...

    Any further ideas?

    Thanks,
    phlo

  4. #4
    Join Date
    May 2007
    Location
    Oklahoma
    Posts
    703
    Rep Power
    9

    Default

    This post has some interesting LDAP issues. Don't know if it will be any help to you or not. Might check it out. One poster ran out of hard drive as well.

    http://www.zimbra.com/forums/adminis...-solution.html

  5. #5
    Join Date
    May 2008
    Location
    Germany
    Posts
    3
    Rep Power
    7

    Default

    Thanks, but this doesn't reflect my issues either...When I removed the 18-GB logfile, everything worked fine again without any startup probs or anything...Additionally, my issues did not affect the LDAP log at all but the maillog file, which records zimbra errors (what means java exceptions in most of the cases).
    If I turn my firewall on, those exceptions continue to appear, if I turn it off, they do not appear anymore. So there must be something with the firewall I didn't recognize when setting up the rules.

    That's the reason I'd wanted to know a little bit about other user's rulesets, to see if I configured something fundamentally wrong or something...

    Installed WebMin now, as it gives me a little bit more confidence in editing iptables rules - with the web interface I'm much more sure about the things I configure...we'll see :-)

    Thanks nevertheless,
    phlo

Similar Threads

  1. upgrading from 5.0.4 to 5.0.5 opensource
    By smoke in forum Installation
    Replies: 4
    Last Post: 10-19-2008, 10:38 AM
  2. speed up the net
    By mcesari in forum Administrators
    Replies: 10
    Last Post: 04-25-2008, 11:24 AM
  3. Zimbra Install Problem - getDirectContext
    By bsimzer in forum Installation
    Replies: 27
    Last Post: 07-19-2007, 10:12 AM
  4. 3 testing: LDAP: 389 Failed when restore zimbra
    By victorLeong in forum Administrators
    Replies: 15
    Last Post: 05-24-2007, 06:45 AM
  5. Installation on FC3 under Xen
    By andreground in forum Installation
    Replies: 9
    Last Post: 11-14-2005, 09:29 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •