RE: Need to block port 1521 for all machines except one.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----Original Message-----
From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Rohit khaladkar
Sent: Monday, April 06, 2009 11:08 AM
To: General Red Hat Linux discussion list
Subject: Re: Need to block port 1521 for all machines except one.

Thanks a lot!

Here they are :
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type timestamp-request -j
REJECT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type timestamp-reply -j REJECT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 514 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 1521 -j
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 1158 -j
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j
ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT


On Mon, Apr 6, 2009 at 9:21 PM, Barry Brimer <lists@xxxxxxxxxx> wrote:

>
> iptables -A INPUT -s <ip address of first machine you want to allow> -p tcp
> --dport 1521 -j ACCEPT
> iptables -A INPUT -s <ip address of second machine you want to allow> -p
> tcp
> --dport 1521 -j ACCEPT
> <continue as needed>
> iptables -A INPUT -p tcp --dport 1521 -j DROP
>
> Quoting Rohit khaladkar <rohit.khaladkar@xxxxxxxxx>:
>
> > Hi!You found that right. There were other iptable rules that were
> > conflicting. The following command worked.
> >
> > iptables -A INPUT -s $1 -p tcp --dport 1521 -j ACCEPT
> > iptables -A INPUT -p tcp --dport 1521 -j DROP
> >
> >
> > But the problem the command gave me is I can't access the database from
> the
> > database server itself.
> >
> > Is there any way out we can modify this command to work for two machines.
> >
> >
> > Thanks!
> > Rohit Khaladkar
> >
> > On Tue, Mar 31, 2009 at 5:21 PM, Barry Brimer <lists@xxxxxxxxxx> wrote:
> >
> > > Hi All,As a security measure, I need to block port 1521on the database
> > >> server , which is used by Oracle for all machines, except one.I tried
> > >> using
> > >> the following commands to block the port, but for some reason it is
> not
> > >> working.Can someone please help me.
> > >>
> > >>
> > >> iptables -A INPUT -s $1 -p tcp --dport 1521 -j ACCEPT
> > >> iptables -A INPUT -p tcp --dport 1521 -j DROP
> > >>
> > >> where $1 is the machine name or ip address of the machine which needs
> > >> access
> > >> to the port.
> > >>
> > >
> > > I can't help but notice that you are using -A to append rules at the
> end of
> > > your existing INPUT chain.  Are there other firewall rules above these
> > rules
> > > that would be accepting the traffic before these rules are even hit?
> > >
> > >
> > > --
> > > redhat-list mailing list
> > > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
> > > https://www.redhat.com/mailman/listinfo/redhat-list
> > >
> > --
> > redhat-list mailing list
> > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
> > https://www.redhat.com/mailman/listinfo/redhat-list
> >
> > !DSPAM:49da2230189793619052188!
> >
> >
>
>
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
--------------------------------------------------------------------------
That makes no sense - Even ignoring the first line (the -I lo -j ACCEPT one) you said that oracle won't accept connections from the local box?

This is what I would set it to:

-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type timestamp-request -j REJECT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type timestamp-reply -j REJECT 
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT 
-A RH-Firewall-1-INPUT -p esp -j ACCEPT 
-A RH-Firewall-1-INPUT -p ah -j ACCEPT 
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT 
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT 
-A RH-Firewall-1-INPUT -p udp -m udp --dport 514 -j ACCEPT 
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -s <server1> -p tcp --dport 1521 -j ACCEPT 
-A RH-Firewall-1-INPUT -s <server2> -p tcp --dport 1521 -j ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 1158 -j ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited 
COMMIT

So all local traffic will be accepted (the -i lo line), the 2 servers needed will be accepted (by calling them out specifically), and everything else (for 1521) will fall through to the reject line.

-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]


  Powered by Linux