OPening ports
Rick Stevens
rstevens at vitalstream.com
Fri Dec 16 19:12:19 UTC 2005
On Fri, 2005-12-16 at 01:00 +0000, jlopes151 at comcast.net wrote:
>
>
> -------------- Original message --------------
> From: Rick Stevens <rstevens at vitalstream.com>
>
> > On Thu, 2005-12-15 at 21:03 +0000, jlopes151 at comcast.net
> wrote:
> > > > > I have RHEL 4 installed and want to open ports for an
> Oracle 10g
> > > > > install. Does any one know were I can find information
> on how this
> > > is
> > > > > done?
> > > >
> > > > I'm not certain which ports Oracle uses for network
> communication.
> > > It's
> > > > undoubtedly buried in the system documentation
> somewhere.
> > > >
> > > > Once you find those, you'll need to have them "-j
> ACCEPT" in your
> > > > iptables configuration.
> > > >
> > > > If you're not familiar with iptables config files, I
> recommend you
> > > use
> > > > either "redhat-config-securitylevel" (Desktop->System
> > > Settings->Secur! ity
> > > > Level) or something like Firestarter, available for free
> from
> > > > http://firestarter.sourceforge.net.
> > > >
> > >
> > > Thanks Rick
> > >
> > > Some of the ports ex:HTTP have a range 5500-5540
> >
> > Ah, then some of your config lines would have something
> like:
> >
> > -A INPUT -p tcp -s 0.0.0.0/0 --dport 5500:5540 -j ACCEPT
> >
> > You might want to restrict the "-s 0.0.0.0/0" to a more
> reasonable
> > range for the machines you want to have access. The one
> above opens
> > you up to connections coming from anywhere.
> >
> > > Thanks for the help
> >
> > No worries, mate!
> >
> So to set the range for say the local machine and the next in
> the range I would do I would -s 1.2.3.4/5?
Uhm, no. That's a CIDR notation (the basic network, slash, number of
consecutive 1 bits in the netmask). For example, if you had a network
of 192.168.0.0 through 192.168.0.255, you might write that as
"192.168.0.0 netmask 255.255.255.0". The CIDR notation would be
"192.168.0.0/24" (meaning that there's 24 consecutive 1 bits in the
netmask).
If you have just two client machines, it'd be better to add each
one as a separate line...CIDR notation admits subnets, not individual
machines.
Using the above network as an example, to admit two client machines,
you'd add lines like:
-A INPUT -p tcp -s 192.168.0.35 --dport 5500:5540 -j ACCEPT
-A INPUT -p tcp -s 192.168.0.36 --dport 5500:5540 -j ACCEPT
which would only allow incoming Oracle connections from the .35 and .36
machines (no "/xx" value indicates that you're specifying an entire
IP address, not a network).
You don't need to include the SERVER in these rules, only the machines
that are trying to connect TO the server.
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer rstevens at vitalstream.com -
- VitalStream, Inc. http://www.vitalstream.com -
- -
- A day for firm decisions!!! Well, then again, maybe not! -
----------------------------------------------------------------------
More information about the Redhat-install-list
mailing list