Hi!I tried using these rules. My iptables rules look like below (Check the bold part). If I use this I can login to the database only through the Database server , but not through the Application server. Please let me know if I missed anything important here. -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type timestamp-request -j REJECT -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type timestamp-reply -j REJECT -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p esp -j ACCEPT -A RH-Firewall-1-INPUT -p ah -j ACCEPT -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 514 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 1521 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 1158 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -s 148.147.172.226 -p tcp --dport 1521 -j ACCEPT -A INPUT -s 148.147.172.227 -p tcp --dport 1521 -j ACCEPT -A INPUT -j DROP -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Tue Jan 29 10:32:53 2008 On Tue, Apr 7, 2009 at 5:14 PM, Geofrey Rainey <Geofrey.Rainey@xxxxxxxxxx>wrote: > I don't understand what the big problem is, am I missing something? > > Here's what you need to do: > > iptables -A INPUT -s SERVERA -p tcp --dport 1521 -j ACCEPT > iptables -A INPUT -s SERVERB -p tcp --dport 1521 -j ACCEPT > <ADD OTHER RULES HERE> > iptables -A INPUT -j DROP > > Regards, > Geoff. > > > -----Original Message----- > From: redhat-list-bounces@xxxxxxxxxx > [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Rohit khaladkar > Sent: Tuesday, 7 April 2009 11:31 p.m. > To: General Red Hat Linux discussion list > Subject: Re: Need to block port 1521 for all machines except one. > > I can access the port from other machines too. > There are two machines : > Server A : Application Host > Server B : Database server > > The requirement here is to have access to oracle database which uses > port > 1521 only to these two machines.So the rules should be such that 1521 > should be blocked to all other servers EXCEPT for these two machines > (Server A and Server B). > > Please let me know if you need anymore information. > > Appreciate all the help provided. > > Thanks! > Rohit Khaladkar > > On Tue, Apr 7, 2009 at 4:32 PM, Marti, Rob <RJM002@xxxxxxxx> wrote: > > > From: redhat-list-bounces@xxxxxxxxxx [redhat-list-bounces@xxxxxxxxxx] > > On Behalf Of Rohit khaladkar [rohit.khaladkar@xxxxxxxxx] > > Sent: Tuesday, April 07, 2009 02:05 > > To: General Red Hat Linux discussion list > > Subject: Re: Need to block port 1521 for all machines except one. > > > > Hi!I tried with these rules, but it doesn't work.Is there something > > that we are missing in here. > > > > On Mon, Apr 6, 2009 at 9:44 PM, Marti, Rob <RJM002@xxxxxxxx> wrote: > > > > > -----Original Message----- > > > From: redhat-list-bounces@xxxxxxxxxx [mailto: > > > redhat-list-bounces@xxxxxxxxxx] On Behalf Of Rohit khaladkar > > > Sent: Monday, April 06, 2009 11:08 AM > > > To: General Red Hat Linux discussion list > > > Subject: Re: Need to block port 1521 for all machines except one. > > > > > > Thanks a lot! > > > > > > Here they are : > > > -A INPUT -j RH-Firewall-1-INPUT > > > -A FORWARD -j RH-Firewall-1-INPUT > > > -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p > > > icmp -m icmp --icmp-type timestamp-request -j REJECT -A > > > RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type timestamp-reply -j > > > REJECT -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j > > > ACCEPT -A RH-Firewall-1-INPUT -p esp -j ACCEPT -A > > > RH-Firewall-1-INPUT -p ah -j ACCEPT -A RH-Firewall-1-INPUT -d > > > 224.0.0.251 -p udp -m udp --dport 5353 -j > > ACCEPT > > > -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A > > > RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A > > > RH-Firewall-1-INPUT -p udp -m udp --dport 514 -j ACCEPT -A > > > RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > > > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport > > > 1521 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m > > > > tcp --dport 1158 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state > > > --state NEW -m tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j > > > REJECT --reject-with icmp-host-prohibited COMMIT > > > > > > > > > On Mon, Apr 6, 2009 at 9:21 PM, Barry Brimer <lists@xxxxxxxxxx> > wrote: > > > > > > > > > > > iptables -A INPUT -s <ip address of first machine you want to > allow> -p > > > tcp > > > > --dport 1521 -j ACCEPT > > > > iptables -A INPUT -s <ip address of second machine you want to > allow> > > -p > > > > tcp > > > > --dport 1521 -j ACCEPT > > > > <continue as needed> > > > > iptables -A INPUT -p tcp --dport 1521 -j DROP > > > > > > > > Quoting Rohit khaladkar <rohit.khaladkar@xxxxxxxxx>: > > > > > > > > > Hi!You found that right. There were other iptable rules that > were > > > > > conflicting. The following command worked. > > > > > > > > > > iptables -A INPUT -s $1 -p tcp --dport 1521 -j ACCEPT > > > > > iptables -A INPUT -p tcp --dport 1521 -j DROP > > > > > > > > > > > > > > > But the problem the command gave me is I can't access the > database > > from > > > > the > > > > > database server itself. > > > > > > > > > > Is there any way out we can modify this command to work for two > > > machines. > > > > > > > > > > > > > > > Thanks! > > > > > Rohit Khaladkar > > > > > > > > > > On Tue, Mar 31, 2009 at 5:21 PM, Barry Brimer <lists@xxxxxxxxxx> > > > wrote: > > > > > > > > > > > Hi All,As a security measure, I need to block port 1521on the > > > database > > > > > >> server , which is used by Oracle for all machines, except > one.I > > > tried > > > > > >> using > > > > > >> the following commands to block the port, but for some reason > it > > is > > > > not > > > > > >> working.Can someone please help me. > > > > > >> > > > > > >> > > > > > >> iptables -A INPUT -s $1 -p tcp --dport 1521 -j ACCEPT > > > > > >> iptables -A INPUT -p tcp --dport 1521 -j DROP > > > > > >> > > > > > >> where $1 is the machine name or ip address of the machine > which > > > needs > > > > > >> access > > > > > >> to the port. > > > > > >> > > > > > > > > > > > > I can't help but notice that you are using -A to append rules > at > > the > > > > end of > > > > > > your existing INPUT chain. Are there other firewall rules > above > > > these > > > > > rules > > > > > > that would be accepting the traffic before these rules are > even > > hit? > > > > > > > > > > > > > > > > > > -- > > > > > > redhat-list mailing list > > > > > > unsubscribe mailto:redhat-list-request@xxxxxxxxxx > > > ?subject=unsubscribe > > > > > > https://www.redhat.com/mailman/listinfo/redhat-list > > > > > > > > > > > -- > > > > > redhat-list mailing list > > > > > unsubscribe mailto:redhat-list-request@xxxxxxxxxx > > ?subject=unsubscribe > > > > > https://www.redhat.com/mailman/listinfo/redhat-list > > > > > > > > > > !DSPAM:49da2230189793619052188! > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > redhat-list mailing list > > > > unsubscribe > mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > > > > https://www.redhat.com/mailman/listinfo/redhat-list > > > > > > > > > > ------------------------------------------------------------------------ > -- > > > That makes no sense - Even ignoring the first line (the -I lo -j > ACCEPT > > > one) you said that oracle won't accept connections from the local > box? > > > > > > This is what I would set it to: > > > > > > -A RH-Firewall-1-INPUT -i lo -j ACCEPT > > > -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type timestamp-request > -j > > > REJECT > > > -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type timestamp-reply > -j > > > REJECT > > > -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT > > > -A RH-Firewall-1-INPUT -p esp -j ACCEPT > > > -A RH-Firewall-1-INPUT -p ah -j ACCEPT > > > -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j > > ACCEPT > > > -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT > > > -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT > > > -A RH-Firewall-1-INPUT -p udp -m udp --dport 514 -j ACCEPT > > > -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j > ACCEPT > > > -A RH-Firewall-1-INPUT -s <server1> -p tcp --dport 1521 -j ACCEPT > > > -A RH-Firewall-1-INPUT -s <server2> -p tcp --dport 1521 -j ACCEPT > > > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport > 1158 -j > > > ACCEPT > > > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 > -j > > > ACCEPT > > > -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited > > > COMMIT > > > > > > So all local traffic will be accepted (the -i lo line), the 2 > servers > > > needed will be accepted (by calling them out specifically), and > > everything > > > else (for 1521) will fall through to the reject line. > > > > > > -- > > > redhat-list mailing list > > > unsubscribe > mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > > > https://www.redhat.com/mailman/listinfo/redhat-list > > > > > > > > ------------------------------------------------------------------------ > -------------------------- > > Define "doesn't work". > > > > -- > > redhat-list mailing list > > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > > https://www.redhat.com/mailman/listinfo/redhat-list > > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list > ========================================================== > For more information on the Television New Zealand Group, visit us > online at tvnz.co.nz > ========================================================== > CAUTION: This e-mail and any attachment(s) contain information that > is intended to be read only by the named recipient(s). This information > is not to be used or stored by any other person and/or organisation. > > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list > -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
