Want to restrict to only kinit transactions with iptables

Tom Yu tlyu at MIT.EDU
Fri Nov 8 19:11:50 EST 2013

hectorl <hectorlas at yahoo.com> writes:

> I'm trying to set up a client machine so that only kinit works.  So far, my
> rules look like

Could you please clarify what you mean by "so that only kinit works"?

> :INPUT DROP [0:0]
> :OUTPUT DROP [0:0]
> -A INPUT -i eth0 -s -p tcp -m tcp --sport kerberos -j ACCEPT
> -A INPUT -i eth0 -s -p udp -m udp --sport kerberos -j ACCEPT
> -A OUTPUT -i eth0 -d -p tcp -m tcp --dport kerberos -j ACCEPT
> -A OUTPUT -i eth0 -d -p udp -m udp --dport kerberos -j ACCEPT
> With this as-is, when I run "kinit remuser", I keep getting the error 
>     kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting
> initial credentials
> If I run
>     iptables -P INPUT ACCEPT
> then "kinit remuser" works as expected.  And after that first success, if I
> run
>     iptables -P INPUT DROP
> it still keeps working.  
> I've got the client and server configured correctly enough to work, but I'm
> still too new to this stuff to know what other ports I need to allow to get
> this working.  If anyone can give me some tips I'd appreciate it.

Does your client need to do any DNS resolution to get the IP address
of the KDC?  That might explain why it starts working after you open
up the input filter for one invocation of kinit.

More information about the Kerberos mailing list