Uberleet

Linux Systems Articles for better insights

FreeIPA iptables setup


I personally find management easier using Iptables for FreeIPA because it allows you to easily add -s flags for source IP ranges when needed. FirewallD has an extended awkward syntax that can do it, but why?

First disable Firewalld

sudo systemctl disable firewalld
sudo systtemctl stop firewalld

Install Iptables Service Files

sudo yum install iptables-services

Enable Iptables

sudo systemctl enable iptables
sudo systemctl start iptables
sudo systemctl start ip6tables
sudo systemctl enable ip6tables

Now create your FreeIPA base firewall ruleset

Create a file under /root/iptables.v4 to store your configuration. You will restore and save this base configuration.

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

#TCP ports for FreeIPA
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443  -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 88  -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 464  -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 53  -j ACCEPT

#UDP ports for FreeIPA
-A INPUT -m state --state NEW -m udp -p udp --dport 88 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 464 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Restore & Save as running config

sudo iptables-restore /root/iptables.v4
sudo service iptables save

Have fun!

At this point you can customize and restore/save as needed but this offers some local security to FreeIPA.