Need to block port 1521 for all machines except one.

Rohit khaladkar rohit.khaladkar at gmail.com
Tue Apr 7 07:05:36 UTC 2009 

Hi!I tried with these rules, but it doesn't work.Is there something that we
are missing in here.

On Mon, Apr 6, 2009 at 9:44 PM, Marti, Rob <RJM002 at shsu.edu> wrote:

> -----Original Message-----
> From: redhat-list-bounces at redhat.com [mailto:
> redhat-list-bounces at redhat.com] On Behalf Of Rohit khaladkar
> Sent: Monday, April 06, 2009 11:08 AM
> To: General Red Hat Linux discussion list
> Subject: Re: Need to block port 1521 for all machines except one.
>
> Thanks a lot!
>
> Here they are :
> -A INPUT -j RH-Firewall-1-INPUT
> -A FORWARD -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type timestamp-request -j
> REJECT
> -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type timestamp-reply -j
> REJECT
> -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
> -A RH-Firewall-1-INPUT -p esp -j ACCEPT
> -A RH-Firewall-1-INPUT -p ah -j ACCEPT
> -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m udp --dport 514 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 1521 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 1158 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> COMMIT
>
>
> On Mon, Apr 6, 2009 at 9:21 PM, Barry Brimer <lists at brimer.org> wrote:
>
> >
> > iptables -A INPUT -s <ip address of first machine you want to allow> -p
> tcp
> > --dport 1521 -j ACCEPT
> > iptables -A INPUT -s <ip address of second machine you want to allow> -p
> > tcp
> > --dport 1521 -j ACCEPT
> > <continue as needed>
> > iptables -A INPUT -p tcp --dport 1521 -j DROP
> >
> > Quoting Rohit khaladkar <rohit.khaladkar at gmail.com>:
> >
> > > Hi!You found that right. There were other iptable rules that were
> > > conflicting. The following command worked.
> > >
> > > iptables -A INPUT -s $1 -p tcp --dport 1521 -j ACCEPT
> > > iptables -A INPUT -p tcp --dport 1521 -j DROP
> > >
> > >
> > > But the problem the command gave me is I can't access the database from
> > the
> > > database server itself.
> > >
> > > Is there any way out we can modify this command to work for two
> machines.
> > >
> > >
> > > Thanks!
> > > Rohit Khaladkar
> > >
> > > On Tue, Mar 31, 2009 at 5:21 PM, Barry Brimer <lists at brimer.org>
> wrote:
> > >
> > > > Hi All,As a security measure, I need to block port 1521on the
> database
> > > >> server , which is used by Oracle for all machines, except one.I
> tried
> > > >> using
> > > >> the following commands to block the port, but for some reason it is
> > not
> > > >> working.Can someone please help me.
> > > >>
> > > >>
> > > >> iptables -A INPUT -s $1 -p tcp --dport 1521 -j ACCEPT
> > > >> iptables -A INPUT -p tcp --dport 1521 -j DROP
> > > >>
> > > >> where $1 is the machine name or ip address of the machine which
> needs
> > > >> access
> > > >> to the port.
> > > >>
> > > >
> > > > I can't help but notice that you are using -A to append rules at the
> > end of
> > > > your existing INPUT chain.  Are there other firewall rules above
> these
> > > rules
> > > > that would be accepting the traffic before these rules are even hit?
> > > >
> > > >
> > > > --
> > > > redhat-list mailing list
> > > > unsubscribe mailto:redhat-list-request at redhat.com
> ?subject=unsubscribe
> > > > https://www.redhat.com/mailman/listinfo/redhat-list
> > > >
> > > --
> > > redhat-list mailing list
> > > unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> > > https://www.redhat.com/mailman/listinfo/redhat-list
> > >
> > > !DSPAM:49da2230189793619052188!
> > >
> > >
> >
> >
> >
> > --
> > redhat-list mailing list
> > unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> > https://www.redhat.com/mailman/listinfo/redhat-list
> >
> --------------------------------------------------------------------------
> That makes no sense - Even ignoring the first line (the -I lo -j ACCEPT
> one) you said that oracle won't accept connections from the local box?
>
> This is what I would set it to:
>
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type timestamp-request -j
> REJECT
> -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type timestamp-reply -j
> REJECT
> -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
> -A RH-Firewall-1-INPUT -p esp -j ACCEPT
> -A RH-Firewall-1-INPUT -p ah -j ACCEPT
> -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m udp --dport 514 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A RH-Firewall-1-INPUT -s <server1> -p tcp --dport 1521 -j ACCEPT
> -A RH-Firewall-1-INPUT -s <server2> -p tcp --dport 1521 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 1158 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> COMMIT
>
> So all local traffic will be accepted (the -i lo line), the 2 servers
> needed will be accepted (by calling them out specifically), and everything
> else (for 1521) will fall through to the reject line.
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>

More information about the redhat-list mailing list