[Solved]Block ip only ldap port


#1

Hi, is it possible to limit an ip only see ldap port, and block others?

Regards


#2

Moin,

not without editing the templates. With the security/packetfilter/... entries you cannot specify a source IP, and /etc/security/packetfilter.d/50_local.sh is too late, i.e., 10_univention-firewall_start.sh contains the UCR settings.

(Ok, in theory you could set all security/packetfilter/... entries to DROP and put almost all config into 50_local.sh, but in that case, editing the templates would be much cleaner)


#3

Hey,

No, it isn’t too late. You can easily insert rules at the top with iptables -I INPUT … instead of appending them at the end.

Kind regards,
mosu


#4

I’ve set in /etc/security/packetfilter.d/50_local.sh:

iptables -I INPUT -s $IP -j DROP 
iptables -A INPUT -p tcp --dport $PORT -s $IP -j ACCEPT

no connections from $IP


#5

Yeah sure, with -I you insert the rule to block everything from $IP at the very top. That second rule will never match.

Change the second iptables -A… to iptables -I…. That way the exception to allow that port will actually be the first rule.

m.


#6

O my god!!! Sorry

Works fine!!!