Need to block port 1521 for all machines except one.
Rohit khaladkar
rohit.khaladkar at gmail.com
Tue Apr 7 12:47:22 UTC 2009
Hi!I tried using these rules. My iptables rules look like below (Check the
bold part). If I use this I can login to the database only through the
Database server , but not through the Application server. Please let me know
if I missed anything important here.
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type timestamp-request -j
REJECT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type timestamp-reply -j REJECT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 514 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 1521 -j
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 1158 -j
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j
ACCEPT
-A INPUT -s 148.147.172.226 -p tcp --dport 1521 -j ACCEPT
-A INPUT -s 148.147.172.227 -p tcp --dport 1521 -j ACCEPT
-A INPUT -j DROP
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Tue Jan 29 10:32:53 2008
On Tue, Apr 7, 2009 at 5:14 PM, Geofrey Rainey <Geofrey.Rainey at tvnz.co.nz>wrote:
> I don't understand what the big problem is, am I missing something?
>
> Here's what you need to do:
>
> iptables -A INPUT -s SERVERA -p tcp --dport 1521 -j ACCEPT
> iptables -A INPUT -s SERVERB -p tcp --dport 1521 -j ACCEPT
> <ADD OTHER RULES HERE>
> iptables -A INPUT -j DROP
>
> Regards,
> Geoff.
>
>
> -----Original Message-----
> From: redhat-list-bounces at redhat.com
> [mailto:redhat-list-bounces at redhat.com] On Behalf Of Rohit khaladkar
> Sent: Tuesday, 7 April 2009 11:31 p.m.
> To: General Red Hat Linux discussion list
> Subject: Re: Need to block port 1521 for all machines except one.
>
> I can access the port from other machines too.
> There are two machines :
> Server A : Application Host
> Server B : Database server
>
> The requirement here is to have access to oracle database which uses
> port
> 1521 only to these two machines.So the rules should be such that 1521
> should be blocked to all other servers EXCEPT for these two machines
> (Server A and Server B).
>
> Please let me know if you need anymore information.
>
> Appreciate all the help provided.
>
> Thanks!
> Rohit Khaladkar
>
> On Tue, Apr 7, 2009 at 4:32 PM, Marti, Rob <RJM002 at shsu.edu> wrote:
>
> > From: redhat-list-bounces at redhat.com [redhat-list-bounces at redhat.com]
> > On Behalf Of Rohit khaladkar [rohit.khaladkar at gmail.com]
> > Sent: Tuesday, April 07, 2009 02:05
> > To: General Red Hat Linux discussion list
> > Subject: Re: Need to block port 1521 for all machines except one.
> >
> > Hi!I tried with these rules, but it doesn't work.Is there something
> > that we are missing in here.
> >
> > On Mon, Apr 6, 2009 at 9:44 PM, Marti, Rob <RJM002 at shsu.edu> wrote:
> >
> > > -----Original Message-----
> > > From: redhat-list-bounces at redhat.com [mailto:
> > > redhat-list-bounces at redhat.com] On Behalf Of Rohit khaladkar
> > > Sent: Monday, April 06, 2009 11:08 AM
> > > To: General Red Hat Linux discussion list
> > > Subject: Re: Need to block port 1521 for all machines except one.
> > >
> > > Thanks a lot!
> > >
> > > Here they are :
> > > -A INPUT -j RH-Firewall-1-INPUT
> > > -A FORWARD -j RH-Firewall-1-INPUT
> > > -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p
> > > icmp -m icmp --icmp-type timestamp-request -j REJECT -A
> > > RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type timestamp-reply -j
> > > REJECT -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j
> > > ACCEPT -A RH-Firewall-1-INPUT -p esp -j ACCEPT -A
> > > RH-Firewall-1-INPUT -p ah -j ACCEPT -A RH-Firewall-1-INPUT -d
> > > 224.0.0.251 -p udp -m udp --dport 5353 -j
> > ACCEPT
> > > -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A
> > > RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A
> > > RH-Firewall-1-INPUT -p udp -m udp --dport 514 -j ACCEPT -A
> > > RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> > > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport
> > > 1521 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m
>
> > > tcp --dport 1158 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state
> > > --state NEW -m tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j
> > > REJECT --reject-with icmp-host-prohibited COMMIT
> > >
> > >
> > > On Mon, Apr 6, 2009 at 9:21 PM, Barry Brimer <lists at brimer.org>
> wrote:
> > >
> > > >
> > > > iptables -A INPUT -s <ip address of first machine you want to
> allow> -p
> > > tcp
> > > > --dport 1521 -j ACCEPT
> > > > iptables -A INPUT -s <ip address of second machine you want to
> allow>
> > -p
> > > > tcp
> > > > --dport 1521 -j ACCEPT
> > > > <continue as needed>
> > > > iptables -A INPUT -p tcp --dport 1521 -j DROP
> > > >
> > > > Quoting Rohit khaladkar <rohit.khaladkar at gmail.com>:
> > > >
> > > > > Hi!You found that right. There were other iptable rules that
> were
> > > > > conflicting. The following command worked.
> > > > >
> > > > > iptables -A INPUT -s $1 -p tcp --dport 1521 -j ACCEPT
> > > > > iptables -A INPUT -p tcp --dport 1521 -j DROP
> > > > >
> > > > >
> > > > > But the problem the command gave me is I can't access the
> database
> > from
> > > > the
> > > > > database server itself.
> > > > >
> > > > > Is there any way out we can modify this command to work for two
> > > machines.
> > > > >
> > > > >
> > > > > Thanks!
> > > > > Rohit Khaladkar
> > > > >
> > > > > On Tue, Mar 31, 2009 at 5:21 PM, Barry Brimer <lists at brimer.org>
> > > wrote:
> > > > >
> > > > > > Hi All,As a security measure, I need to block port 1521on the
> > > database
> > > > > >> server , which is used by Oracle for all machines, except
> one.I
> > > tried
> > > > > >> using
> > > > > >> the following commands to block the port, but for some reason
> it
> > is
> > > > not
> > > > > >> working.Can someone please help me.
> > > > > >>
> > > > > >>
> > > > > >> iptables -A INPUT -s $1 -p tcp --dport 1521 -j ACCEPT
> > > > > >> iptables -A INPUT -p tcp --dport 1521 -j DROP
> > > > > >>
> > > > > >> where $1 is the machine name or ip address of the machine
> which
> > > needs
> > > > > >> access
> > > > > >> to the port.
> > > > > >>
> > > > > >
> > > > > > I can't help but notice that you are using -A to append rules
> at
> > the
> > > > end of
> > > > > > your existing INPUT chain. Are there other firewall rules
> above
> > > these
> > > > > rules
> > > > > > that would be accepting the traffic before these rules are
> even
> > hit?
> > > > > >
> > > > > >
> > > > > > --
> > > > > > redhat-list mailing list
> > > > > > unsubscribe mailto:redhat-list-request at redhat.com
> > > ?subject=unsubscribe
> > > > > > https://www.redhat.com/mailman/listinfo/redhat-list
> > > > > >
> > > > > --
> > > > > redhat-list mailing list
> > > > > unsubscribe mailto:redhat-list-request at redhat.com
> > ?subject=unsubscribe
> > > > > https://www.redhat.com/mailman/listinfo/redhat-list
> > > > >
> > > > > !DSPAM:49da2230189793619052188!
> > > > >
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > redhat-list mailing list
> > > > unsubscribe
> mailto:redhat-list-request at redhat.com?subject=unsubscribe
> > > > https://www.redhat.com/mailman/listinfo/redhat-list
> > > >
> > >
> >
> ------------------------------------------------------------------------
> --
> > > That makes no sense - Even ignoring the first line (the -I lo -j
> ACCEPT
> > > one) you said that oracle won't accept connections from the local
> box?
> > >
> > > This is what I would set it to:
> > >
> > > -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> > > -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type timestamp-request
> -j
> > > REJECT
> > > -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type timestamp-reply
> -j
> > > REJECT
> > > -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
> > > -A RH-Firewall-1-INPUT -p esp -j ACCEPT
> > > -A RH-Firewall-1-INPUT -p ah -j ACCEPT
> > > -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j
> > ACCEPT
> > > -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
> > > -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
> > > -A RH-Firewall-1-INPUT -p udp -m udp --dport 514 -j ACCEPT
> > > -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j
> ACCEPT
> > > -A RH-Firewall-1-INPUT -s <server1> -p tcp --dport 1521 -j ACCEPT
> > > -A RH-Firewall-1-INPUT -s <server2> -p tcp --dport 1521 -j ACCEPT
> > > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport
> 1158 -j
> > > ACCEPT
> > > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22
> -j
> > > ACCEPT
> > > -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> > > COMMIT
> > >
> > > So all local traffic will be accepted (the -i lo line), the 2
> servers
> > > needed will be accepted (by calling them out specifically), and
> > everything
> > > else (for 1521) will fall through to the reject line.
> > >
> > > --
> > > redhat-list mailing list
> > > unsubscribe
> mailto:redhat-list-request at redhat.com?subject=unsubscribe
> > > https://www.redhat.com/mailman/listinfo/redhat-list
> > >
> >
> >
> ------------------------------------------------------------------------
> --------------------------
> > Define "doesn't work".
> >
> > --
> > redhat-list mailing list
> > unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> > https://www.redhat.com/mailman/listinfo/redhat-list
> >
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
> ==========================================================
> For more information on the Television New Zealand Group, visit us
> online at tvnz.co.nz
> ==========================================================
> CAUTION: This e-mail and any attachment(s) contain information that
> is intended to be read only by the named recipient(s). This information
> is not to be used or stored by any other person and/or organisation.
>
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
More information about the redhat-list
mailing list