Restrict access to a particular server.

Ryan Golhar golharam at umdnj.edu
Mon Oct 20 14:47:25 UTC 2008 

Ah, didn't read the first part of the email.  My bad.

Marti, Rob wrote:
> Not sure Oracle allows tcpwrappers...
> 
> Rob Marti
> 
> I'd do -A INPUT -s !machine_A -p tcp --dport 1521 -j DROP
> If you're only ever going to give one box access to the database.
> 
> -----Original Message-----
> From: redhat-list-bounces at redhat.com [mailto:redhat-list-bounces at redhat.com] On Behalf Of Ryan Golhar
> Sent: Monday, October 20, 2008 8:58 AM
> To: General Red Hat Linux discussion list
> Subject: Re: Restrict access to a particular server.
> 
> Why not use hosts.allow/hosts.deny from xinetd?   I allow port 22 access
> via iptables, but use xinetd to restrict access by host.  The reason for this is there seems to be a lot of spoofing attempts
> 
> Rohit khaladkar wrote:
>> Great! This helps!! Thanks a lot!!
>> Rohit
>>
>> On Mon, Oct 20, 2008 at 3:45 PM, Stephen Gilbert <linuxelf at gmail.com> wrote:
>>
>>> You can either set your default policy to drop
>>>
>>> iptables -P INPUT DROP
>>>
>>> This would drop all packets from all servers by default.  Then the
>>>
>>> iptables -A INPUT -s machine_A -p tcp --dport 1521 -j ACCEPT
>>>
>>> would accept only packets from machine_A into Oracle.
>>>
>>> You may want to add a few more ports, such as 22 for ssh access.
>>>
>>> Alternately, you could add
>>>
>>> iptables -A INPUT -s machine_A -p tcp --dport 1521 -j ACCEPT iptables
>>> -A INPUT -p tcp --dport 1521 -j DROP
>>>
>>> Baseically, this says machine A can hit 1521, but anyone else that
>>> tries, just drop the packet.
>>>
>>> Rohit khaladkar wrote:
>>>> Thanks Geoff!! This would definitely help. So can there cannot be a
>>> master
>>>> rule on the  which would prevent all ip adresses except one.(machine A)?
>>>> Thanks!
>>>> Rohit
>>>>
>>>> On Mon, Oct 20, 2008 at 2:07 PM, Geofrey Rainey
>>>> <Geofrey.Rainey at tvnz.co.nz>wrote:
>>>>
>>>>
>>>>> You want something like this:
>>>>>
>>>>> Iptables -A INPUT -s machine_A -p tcp --dport 1521 -j ACCEPT
>>>>>
>>>>> This rule means allow access to port 1521 from IP machine_A.
>>>>> Of course this rule alone will not prevent all-and-sundry from
>>>>> Connecting to the server on any port, so you'll need to add Many
>>>>> more rules to secure your server.
>>>>>
>>>>> Regards,
>>>>> Geoff.
>>>>>
>>>>> -----Original Message-----
>>>>> From: redhat-list-bounces at redhat.com
>>>>> [mailto:redhat-list-bounces at redhat.com] On Behalf Of Rohit
>>>>> khaladkar
>>>>> Sent: Monday, 20 October 2008 8:10 p.m.
>>>>> To: General Red Hat Linux discussion list
>>>>> Subject: Restrict access to a particular server.
>>>>>
>>>>> Hi All,I have two machines with Red Hat linux 5.2 installed of
>>>>> which one is a database server running Oracle 10.0.4 on it. I need
>>>>> a iptable rule which would make sure that only the other machine
>>>>> would have access to it.
>>>>>
>>>>> For eg : If I have two macihnes, machine A and machine B, of which
>>>>> machine B is a database server, can I setup a iptable rule on
>>>>> machine B , which would allow access to the database only by machine A.
>>>>>
>>>>> Please help.
>>>>>
>>>>> Thanks!
>>>>> Rohit Khaladkar
>>>>> --
>>>>> redhat-list mailing list
>>>>> unsubscribe
>>>>> mailto:redhat-list-request at redhat.com?subject=unsubscribe
>>>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>>> ==========================================================
>>>>> For more information on the Television New Zealand Group, visit us
>>>>> online at tvnz.co.nz
>>>>> ==========================================================
>>>>> CAUTION:  This e-mail and any attachment(s) contain information
>>>>> that is intended to be read only by the named recipient(s).  This
>>>>> information is not to be used or stored by any other person and/or organisation.
>>>>>
>>>>>
>>>>> --
>>>>> redhat-list mailing list
>>>>> unsubscribe
>>>>> mailto:redhat-list-request at redhat.com?subject=unsubscribe
>>>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>>>
>>>>>
>>> --
>>> redhat-list mailing list
>>> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>
>

More information about the redhat-list mailing list