Want to restrict to only kinit transactions with iptables
hectorl
hectorlas at yahoo.com
Thu Nov 7 22:40:48 EST 2013
I'm trying to set up a client machine so that only kinit works. So far, my
rules look like
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i eth0 -s 192.168.1.130 -p tcp -m tcp --sport kerberos -j ACCEPT
-A INPUT -i eth0 -s 192.168.1.130 -p udp -m udp --sport kerberos -j ACCEPT
-A OUTPUT -i eth0 -d 192.168.1.130 -p tcp -m tcp --dport kerberos -j ACCEPT
-A OUTPUT -i eth0 -d 192.168.1.130 -p udp -m udp --dport kerberos -j ACCEPT
With this as-is, when I run "kinit remuser", I keep getting the error
kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting
initial credentials
If I run
iptables -P INPUT ACCEPT
then "kinit remuser" works as expected. And after that first success, if I
run
iptables -P INPUT DROP
it still keeps working.
I've tried using wireshark to see what I'm initially disallowing. It seems
arp related, but I can't consistently see that... and I thought iptables
wasn't supposed to mess with arp. I'm not seeing anything missing with "arp
-n" or "ip -s neigh".
I've got the client and server configured correctly enough to work, but I'm
still too new to this stuff to know what other ports I need to allow to get
this working. If anyone can give me some tips I'd appreciate it.
Thanks.
Hector
--
View this message in context: http://kerberos.996246.n3.nabble.com/Want-to-restrict-to-only-kinit-transactions-with-iptables-tp38879.html
Sent from the Kerberos - General mailing list archive at Nabble.com.
More information about the Kerberos
mailing list