RE: Need to block port 1521 for all machines except one.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



From: redhat-list-bounces@xxxxxxxxxx [redhat-list-bounces@xxxxxxxxxx] On Behalf Of Rohit khaladkar [rohit.khaladkar@xxxxxxxxx]
Sent: Tuesday, April 07, 2009 02:05
To: General Red Hat Linux discussion list
Subject: Re: Need to block port 1521 for all machines except one.

Hi!I tried with these rules, but it doesn't work.Is there something that we
are missing in here.

On Mon, Apr 6, 2009 at 9:44 PM, Marti, Rob <RJM002@xxxxxxxx> wrote:

> -----Original Message-----
> From: redhat-list-bounces@xxxxxxxxxx [mailto:
> redhat-list-bounces@xxxxxxxxxx] On Behalf Of Rohit khaladkar
> Sent: Monday, April 06, 2009 11:08 AM
> To: General Red Hat Linux discussion list
> Subject: Re: Need to block port 1521 for all machines except one.
>
> Thanks a lot!
>
> Here they are :
> -A INPUT -j RH-Firewall-1-INPUT
> -A FORWARD -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type timestamp-request -j
> REJECT
> -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type timestamp-reply -j
> REJECT
> -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
> -A RH-Firewall-1-INPUT -p esp -j ACCEPT
> -A RH-Firewall-1-INPUT -p ah -j ACCEPT
> -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m udp --dport 514 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 1521 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 1158 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> COMMIT
>
>
> On Mon, Apr 6, 2009 at 9:21 PM, Barry Brimer <lists@xxxxxxxxxx> wrote:
>
> >
> > iptables -A INPUT -s <ip address of first machine you want to allow> -p
> tcp
> > --dport 1521 -j ACCEPT
> > iptables -A INPUT -s <ip address of second machine you want to allow> -p
> > tcp
> > --dport 1521 -j ACCEPT
> > <continue as needed>
> > iptables -A INPUT -p tcp --dport 1521 -j DROP
> >
> > Quoting Rohit khaladkar <rohit.khaladkar@xxxxxxxxx>:
> >
> > > Hi!You found that right. There were other iptable rules that were
> > > conflicting. The following command worked.
> > >
> > > iptables -A INPUT -s $1 -p tcp --dport 1521 -j ACCEPT
> > > iptables -A INPUT -p tcp --dport 1521 -j DROP
> > >
> > >
> > > But the problem the command gave me is I can't access the database from
> > the
> > > database server itself.
> > >
> > > Is there any way out we can modify this command to work for two
> machines.
> > >
> > >
> > > Thanks!
> > > Rohit Khaladkar
> > >
> > > On Tue, Mar 31, 2009 at 5:21 PM, Barry Brimer <lists@xxxxxxxxxx>
> wrote:
> > >
> > > > Hi All,As a security measure, I need to block port 1521on the
> database
> > > >> server , which is used by Oracle for all machines, except one.I
> tried
> > > >> using
> > > >> the following commands to block the port, but for some reason it is
> > not
> > > >> working.Can someone please help me.
> > > >>
> > > >>
> > > >> iptables -A INPUT -s $1 -p tcp --dport 1521 -j ACCEPT
> > > >> iptables -A INPUT -p tcp --dport 1521 -j DROP
> > > >>
> > > >> where $1 is the machine name or ip address of the machine which
> needs
> > > >> access
> > > >> to the port.
> > > >>
> > > >
> > > > I can't help but notice that you are using -A to append rules at the
> > end of
> > > > your existing INPUT chain.  Are there other firewall rules above
> these
> > > rules
> > > > that would be accepting the traffic before these rules are even hit?
> > > >
> > > >
> > > > --
> > > > redhat-list mailing list
> > > > unsubscribe mailto:redhat-list-request@xxxxxxxxxx
> ?subject=unsubscribe
> > > > https://www.redhat.com/mailman/listinfo/redhat-list
> > > >
> > > --
> > > redhat-list mailing list
> > > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
> > > https://www.redhat.com/mailman/listinfo/redhat-list
> > >
> > > !DSPAM:49da2230189793619052188!
> > >
> > >
> >
> >
> >
> > --
> > redhat-list mailing list
> > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
> > https://www.redhat.com/mailman/listinfo/redhat-list
> >
> --------------------------------------------------------------------------
> That makes no sense - Even ignoring the first line (the -I lo -j ACCEPT
> one) you said that oracle won't accept connections from the local box?
>
> This is what I would set it to:
>
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type timestamp-request -j
> REJECT
> -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type timestamp-reply -j
> REJECT
> -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
> -A RH-Firewall-1-INPUT -p esp -j ACCEPT
> -A RH-Firewall-1-INPUT -p ah -j ACCEPT
> -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m udp --dport 514 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A RH-Firewall-1-INPUT -s <server1> -p tcp --dport 1521 -j ACCEPT
> -A RH-Firewall-1-INPUT -s <server2> -p tcp --dport 1521 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 1158 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> COMMIT
>
> So all local traffic will be accepted (the -i lo line), the 2 servers
> needed will be accepted (by calling them out specifically), and everything
> else (for 1521) will fall through to the reject line.
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
--------------------------------------------------------------------------------------------------
Define "doesn't work".

-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]


  Powered by Linux