Want to restrict to only kinit transactions with iptables

hectorl hectorlas at yahoo.com
Thu Nov 7 22:40:48 EST 2013


I'm trying to set up a client machine so that only kinit works.  So far, my
rules look like

:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i eth0 -s 192.168.1.130 -p tcp -m tcp --sport kerberos -j ACCEPT
-A INPUT -i eth0 -s 192.168.1.130 -p udp -m udp --sport kerberos -j ACCEPT
-A OUTPUT -i eth0 -d 192.168.1.130 -p tcp -m tcp --dport kerberos -j ACCEPT
-A OUTPUT -i eth0 -d 192.168.1.130 -p udp -m udp --dport kerberos -j ACCEPT

With this as-is, when I run "kinit remuser", I keep getting the error 

    kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting
initial credentials

If I run

    iptables -P INPUT ACCEPT

then "kinit remuser" works as expected.  And after that first success, if I
run

    iptables -P INPUT DROP

it still keeps working.  

I've tried using wireshark to see what I'm initially disallowing.  It seems
arp related, but I can't consistently see that... and I thought iptables
wasn't supposed to mess with arp. I'm not seeing anything missing with "arp
-n" or "ip -s neigh".

I've got the client and server configured correctly enough to work, but I'm
still too new to this stuff to know what other ports I need to allow to get
this working.  If anyone can give me some tips I'd appreciate it.

Thanks.
Hector



--
View this message in context: http://kerberos.996246.n3.nabble.com/Want-to-restrict-to-only-kinit-transactions-with-iptables-tp38879.html
Sent from the Kerberos - General mailing list archive at Nabble.com.


More information about the Kerberos mailing list