OPening ports

Rick Stevens rstevens at vitalstream.com
Fri Dec 16 19:12:19 UTC 2005 

On Fri, 2005-12-16 at 01:00 +0000, jlopes151 at comcast.net wrote:
>  
>  
>         -------------- Original message -------------- 
>         From: Rick Stevens <rstevens at vitalstream.com> 
>         
>         > On Thu, 2005-12-15 at 21:03 +0000, jlopes151 at comcast.net
>         wrote: 
>         > > > > I have RHEL 4 installed and want to open ports for an
>         Oracle 10g 
>         > > > > install. Does any one know were I can find information
>         on how this 
>         > > is 
>         > > > > done? 
>         > > > 
>         > > > I'm not certain which ports Oracle uses for network
>         communication. 
>         > > It's 
>         > > > undoubtedly buried in the system documentation
>         somewhere. 
>         > > > 
>         > > > Once you find those, you'll need to have them "-j
>         ACCEPT" in your 
>         > > > iptables configuration. 
>         > > > 
>         > > > If you're not familiar with iptables config files, I
>         recommend you 
>         > > use 
>         > > > either "redhat-config-securitylevel" (Desktop->System 
>         > > Settings->Secur! ity 
>         > > > Level) or something like Firestarter, available for free
>         from 
>         > > > http://firestarter.sourceforge.net. 
>         > > > 
>         > > 
>         > > Thanks Rick 
>         > > 
>         > > Some of the ports ex:HTTP have a range 5500-5540 
>         > 
>         > Ah, then some of your config lines would have something
>         like: 
>         > 
>         > -A INPUT -p tcp -s 0.0.0.0/0 --dport 5500:5540 -j ACCEPT 
>         > 
>         > You might want to restrict the "-s 0.0.0.0/0" to a more
>         reasonable 
>         > range for the machines you want to have access. The one
>         above opens 
>         > you up to connections coming from anywhere. 
>         > 
>         > > Thanks for the help 
>         > 
>         > No worries, mate! 
>         > 
>         So to set the range for say the local machine and the next in
>         the range I would do I would -s 1.2.3.4/5? 

Uhm, no.  That's a CIDR notation (the basic network, slash, number of
consecutive 1 bits in the netmask).  For example, if you had a network
of 192.168.0.0 through 192.168.0.255, you might write that as
"192.168.0.0 netmask 255.255.255.0".  The CIDR notation would be
"192.168.0.0/24" (meaning that there's 24 consecutive 1 bits in the
netmask).

If you have just two client machines, it'd be better to add each
one as a separate line...CIDR notation admits subnets, not individual
machines.

Using the above network as an example, to admit two client machines,
you'd add lines like:

	-A INPUT -p tcp -s 192.168.0.35 --dport 5500:5540 -j ACCEPT
	-A INPUT -p tcp -s 192.168.0.36 --dport 5500:5540 -j ACCEPT

which would only allow incoming Oracle connections from the .35 and .36
machines (no "/xx" value indicates that you're specifying an entire
IP address, not a network).

You don't need to include the SERVER in these rules, only the machines
that are trying to connect TO the server.

----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer     rstevens at vitalstream.com -
- VitalStream, Inc.                       http://www.vitalstream.com -
-                                                                    -
-      A day for firm decisions!!!   Well, then again, maybe not!    -
----------------------------------------------------------------------

More information about the Redhat-install-list mailing list