-----Original Message----- From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Rohit khaladkar Sent: Monday, April 06, 2009 11:08 AM To: General Red Hat Linux discussion list Subject: Re: Need to block port 1521 for all machines except one. Thanks a lot! Here they are : -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type timestamp-request -j REJECT -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type timestamp-reply -j REJECT -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p esp -j ACCEPT -A RH-Firewall-1-INPUT -p ah -j ACCEPT -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 514 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 1521 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 1158 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT On Mon, Apr 6, 2009 at 9:21 PM, Barry Brimer <lists@xxxxxxxxxx> wrote: > > iptables -A INPUT -s <ip address of first machine you want to allow> -p tcp > --dport 1521 -j ACCEPT > iptables -A INPUT -s <ip address of second machine you want to allow> -p > tcp > --dport 1521 -j ACCEPT > <continue as needed> > iptables -A INPUT -p tcp --dport 1521 -j DROP > > Quoting Rohit khaladkar <rohit.khaladkar@xxxxxxxxx>: > > > Hi!You found that right. There were other iptable rules that were > > conflicting. The following command worked. > > > > iptables -A INPUT -s $1 -p tcp --dport 1521 -j ACCEPT > > iptables -A INPUT -p tcp --dport 1521 -j DROP > > > > > > But the problem the command gave me is I can't access the database from > the > > database server itself. > > > > Is there any way out we can modify this command to work for two machines. > > > > > > Thanks! > > Rohit Khaladkar > > > > On Tue, Mar 31, 2009 at 5:21 PM, Barry Brimer <lists@xxxxxxxxxx> wrote: > > > > > Hi All,As a security measure, I need to block port 1521on the database > > >> server , which is used by Oracle for all machines, except one.I tried > > >> using > > >> the following commands to block the port, but for some reason it is > not > > >> working.Can someone please help me. > > >> > > >> > > >> iptables -A INPUT -s $1 -p tcp --dport 1521 -j ACCEPT > > >> iptables -A INPUT -p tcp --dport 1521 -j DROP > > >> > > >> where $1 is the machine name or ip address of the machine which needs > > >> access > > >> to the port. > > >> > > > > > > I can't help but notice that you are using -A to append rules at the > end of > > > your existing INPUT chain. Are there other firewall rules above these > > rules > > > that would be accepting the traffic before these rules are even hit? > > > > > > > > > -- > > > redhat-list mailing list > > > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > > > https://www.redhat.com/mailman/listinfo/redhat-list > > > > > -- > > redhat-list mailing list > > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > > https://www.redhat.com/mailman/listinfo/redhat-list > > > > !DSPAM:49da2230189793619052188! > > > > > > > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list > -------------------------------------------------------------------------- That makes no sense - Even ignoring the first line (the -I lo -j ACCEPT one) you said that oracle won't accept connections from the local box? This is what I would set it to: -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type timestamp-request -j REJECT -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type timestamp-reply -j REJECT -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p esp -j ACCEPT -A RH-Firewall-1-INPUT -p ah -j ACCEPT -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 514 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A RH-Firewall-1-INPUT -s <server1> -p tcp --dport 1521 -j ACCEPT -A RH-Firewall-1-INPUT -s <server2> -p tcp --dport 1521 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 1158 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT So all local traffic will be accepted (the -i lo line), the 2 servers needed will be accepted (by calling them out specifically), and everything else (for 1521) will fall through to the reject line. -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
