Need to block port 1521 for all machines except one.

Geofrey Rainey Geofrey.Rainey at tvnz.co.nz
Wed Apr 8 03:55:09 UTC 2009 

You need to start with some very simple rules and build from that.
That's what I do.

Or perhaps the best way to solve your problem is to add a log rule just
before the very last
Reject rule of the INPUT chain, something like this:

Iptables -A RH-Firewall-1-INPUT -m limit --limit 2/sec --limit-burst 10
-j LOG --log-prefix " INPUT CHAIN DROP: "

Then start IPTables, tail -f /var/log/messages, and look for drops,
quickly stop IPTables, adjust the rules to compensate for the drops,
then try again.


-----Original Message-----
From: redhat-list-bounces at redhat.com
[mailto:redhat-list-bounces at redhat.com] On Behalf Of Rohit khaladkar
Sent: Wednesday, 8 April 2009 12:47 a.m.
To: General Red Hat Linux discussion list
Subject: Re: Need to block port 1521 for all machines except one.

Hi!I tried using these rules. My iptables rules look like below (Check
the bold part). If I use this I can login to the database only through
the Database server , but not through the Application server. Please let
me know if I missed anything important here.


-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type timestamp-request -j
REJECT -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type
timestamp-reply -j REJECT -A RH-Firewall-1-INPUT -p icmp -m icmp
--icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p esp -j ACCEPT -A
RH-Firewall-1-INPUT -p ah -j ACCEPT -A RH-Firewall-1-INPUT -d
224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT -A RH-Firewall-1-INPUT
-p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp
--dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 514
-j ACCEPT -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j
ACCEPT #-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp
--dport 1521 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state
NEW -m tcp --dport 1158 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state
--state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -s 148.147.172.226 -p
tcp --dport 1521 -j ACCEPT -A INPUT -s 148.147.172.227 -p tcp --dport
1521 -j ACCEPT -A INPUT -j DROP -A RH-Firewall-1-INPUT -j REJECT
--reject-with icmp-host-prohibited COMMIT # Completed on Tue Jan 29
10:32:53 2008


On Tue, Apr 7, 2009 at 5:14 PM, Geofrey Rainey
<Geofrey.Rainey at tvnz.co.nz>wrote:

> I don't understand what the big problem is, am I missing something?
>
> Here's what you need to do:
>
> iptables -A INPUT -s SERVERA -p tcp --dport 1521 -j ACCEPT iptables -A

> INPUT -s SERVERB -p tcp --dport 1521 -j ACCEPT <ADD OTHER RULES HERE> 
> iptables -A INPUT -j DROP
>
> Regards,
> Geoff.
>
>
> -----Original Message-----
> From: redhat-list-bounces at redhat.com
> [mailto:redhat-list-bounces at redhat.com] On Behalf Of Rohit khaladkar
> Sent: Tuesday, 7 April 2009 11:31 p.m.
> To: General Red Hat Linux discussion list
> Subject: Re: Need to block port 1521 for all machines except one.
>
> I can access the port from other machines too.
> There are two machines :
> Server A : Application Host
> Server B : Database server
>
> The requirement here is to have access to oracle database which uses 
> port
> 1521 only to these two machines.So the rules should be such that 1521 
> should be blocked to all other servers EXCEPT for these two machines 
> (Server A and Server B).
>
> Please let me know if you need anymore information.
>
> Appreciate all the help provided.
>
> Thanks!
> Rohit Khaladkar
>
> On Tue, Apr 7, 2009 at 4:32 PM, Marti, Rob <RJM002 at shsu.edu> wrote:
>
> > From: redhat-list-bounces at redhat.com 
> > [redhat-list-bounces at redhat.com] On Behalf Of Rohit khaladkar 
> > [rohit.khaladkar at gmail.com]
> > Sent: Tuesday, April 07, 2009 02:05
> > To: General Red Hat Linux discussion list
> > Subject: Re: Need to block port 1521 for all machines except one.
> >
> > Hi!I tried with these rules, but it doesn't work.Is there something 
> > that we are missing in here.
> >
> > On Mon, Apr 6, 2009 at 9:44 PM, Marti, Rob <RJM002 at shsu.edu> wrote:
> >
> > > -----Original Message-----
> > > From: redhat-list-bounces at redhat.com [mailto:
> > > redhat-list-bounces at redhat.com] On Behalf Of Rohit khaladkar
> > > Sent: Monday, April 06, 2009 11:08 AM
> > > To: General Red Hat Linux discussion list
> > > Subject: Re: Need to block port 1521 for all machines except one.
> > >
> > > Thanks a lot!
> > >
> > > Here they are :
> > > -A INPUT -j RH-Firewall-1-INPUT
> > > -A FORWARD -j RH-Firewall-1-INPUT
> > > -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p 
> > > icmp -m icmp --icmp-type timestamp-request -j REJECT -A 
> > > RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type timestamp-reply -j

> > > REJECT -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j 
> > > ACCEPT -A RH-Firewall-1-INPUT -p esp -j ACCEPT -A 
> > > RH-Firewall-1-INPUT -p ah -j ACCEPT -A RH-Firewall-1-INPUT -d
> > > 224.0.0.251 -p udp -m udp --dport 5353 -j
> > ACCEPT
> > > -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A 
> > > RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A 
> > > RH-Firewall-1-INPUT -p udp -m udp --dport 514 -j ACCEPT -A 
> > > RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

> > > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport
> > > 1521 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW 
> > > -m
>
> > > tcp --dport 1158 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state 
> > > --state NEW -m tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j 
> > > REJECT --reject-with icmp-host-prohibited COMMIT
> > >
> > >
> > > On Mon, Apr 6, 2009 at 9:21 PM, Barry Brimer <lists at brimer.org>
> wrote:
> > >
> > > >
> > > > iptables -A INPUT -s <ip address of first machine you want to
> allow> -p
> > > tcp
> > > > --dport 1521 -j ACCEPT
> > > > iptables -A INPUT -s <ip address of second machine you want to
> allow>
> > -p
> > > > tcp
> > > > --dport 1521 -j ACCEPT
> > > > <continue as needed>
> > > > iptables -A INPUT -p tcp --dport 1521 -j DROP
> > > >
> > > > Quoting Rohit khaladkar <rohit.khaladkar at gmail.com>:
> > > >
> > > > > Hi!You found that right. There were other iptable rules that
> were
> > > > > conflicting. The following command worked.
> > > > >
> > > > > iptables -A INPUT -s $1 -p tcp --dport 1521 -j ACCEPT iptables

> > > > > -A INPUT -p tcp --dport 1521 -j DROP
> > > > >
> > > > >
> > > > > But the problem the command gave me is I can't access the
> database
> > from
> > > > the
> > > > > database server itself.
> > > > >
> > > > > Is there any way out we can modify this command to work for 
> > > > > two
> > > machines.
> > > > >
> > > > >
> > > > > Thanks!
> > > > > Rohit Khaladkar
> > > > >
> > > > > On Tue, Mar 31, 2009 at 5:21 PM, Barry Brimer 
> > > > > <lists at brimer.org>
> > > wrote:
> > > > >
> > > > > > Hi All,As a security measure, I need to block port 1521on 
> > > > > > the
> > > database
> > > > > >> server , which is used by Oracle for all machines, except
> one.I
> > > tried
> > > > > >> using
> > > > > >> the following commands to block the port, but for some 
> > > > > >> reason
> it
> > is
> > > > not
> > > > > >> working.Can someone please help me.
> > > > > >>
> > > > > >>
> > > > > >> iptables -A INPUT -s $1 -p tcp --dport 1521 -j ACCEPT 
> > > > > >> iptables -A INPUT -p tcp --dport 1521 -j DROP
> > > > > >>
> > > > > >> where $1 is the machine name or ip address of the machine
> which
> > > needs
> > > > > >> access
> > > > > >> to the port.
> > > > > >>
> > > > > >
> > > > > > I can't help but notice that you are using -A to append 
> > > > > > rules
> at
> > the
> > > > end of
> > > > > > your existing INPUT chain.  Are there other firewall rules
> above
> > > these
> > > > > rules
> > > > > > that would be accepting the traffic before these rules are
> even
> > hit?
> > > > > >
> > > > > >
> > > > > > --
> > > > > > redhat-list mailing list
> > > > > > unsubscribe mailto:redhat-list-request at redhat.com
> > > ?subject=unsubscribe
> > > > > > https://www.redhat.com/mailman/listinfo/redhat-list
> > > > > >
> > > > > --
> > > > > redhat-list mailing list
> > > > > unsubscribe mailto:redhat-list-request at redhat.com
> > ?subject=unsubscribe
> > > > > https://www.redhat.com/mailman/listinfo/redhat-list
> > > > >
> > > > > !DSPAM:49da2230189793619052188!
> > > > >
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > redhat-list mailing list
> > > > unsubscribe
> mailto:redhat-list-request at redhat.com?subject=unsubscribe
> > > > https://www.redhat.com/mailman/listinfo/redhat-list
> > > >
> > >
> >
> ----------------------------------------------------------------------
> --
> --
> > > That makes no sense - Even ignoring the first line (the -I lo -j
> ACCEPT
> > > one) you said that oracle won't accept connections from the local
> box?
> > >
> > > This is what I would set it to:
> > >
> > > -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p 
> > > icmp -m icmp --icmp-type timestamp-request
> -j
> > > REJECT
> > > -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type timestamp-reply
> -j
> > > REJECT
> > > -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT 
> > > -A RH-Firewall-1-INPUT -p esp -j ACCEPT -A RH-Firewall-1-INPUT -p 
> > > ah -j ACCEPT -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp 
> > > --dport 5353 -j
> > ACCEPT
> > > -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A 
> > > RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A 
> > > RH-Firewall-1-INPUT -p udp -m udp --dport 514 -j ACCEPT -A 
> > > RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j
> ACCEPT
> > > -A RH-Firewall-1-INPUT -s <server1> -p tcp --dport 1521 -j ACCEPT 
> > > -A RH-Firewall-1-INPUT -s <server2> -p tcp --dport 1521 -j ACCEPT 
> > > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport
> 1158 -j
> > > ACCEPT
> > > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 
> > > 22
> -j
> > > ACCEPT
> > > -A RH-Firewall-1-INPUT -j REJECT --reject-with 
> > > icmp-host-prohibited COMMIT
> > >
> > > So all local traffic will be accepted (the -i lo line), the 2
> servers
> > > needed will be accepted (by calling them out specifically), and
> > everything
> > > else (for 1521) will fall through to the reject line.
> > >
> > > --
> > > redhat-list mailing list
> > > unsubscribe
> mailto:redhat-list-request at redhat.com?subject=unsubscribe
> > > https://www.redhat.com/mailman/listinfo/redhat-list
> > >
> >
> >
> ----------------------------------------------------------------------
> --
> --------------------------
> > Define "doesn't work".
> >
> > --
> > redhat-list mailing list
> > unsubscribe 
> > mailto:redhat-list-request at redhat.com?subject=unsubscribe
> > https://www.redhat.com/mailman/listinfo/redhat-list
> >
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
> ==========================================================
> For more information on the Television New Zealand Group, visit us 
> online at tvnz.co.nz 
> ==========================================================
> CAUTION:  This e-mail and any attachment(s) contain information that 
> is intended to be read only by the named recipient(s).  This 
> information is not to be used or stored by any other person and/or
organisation.
>
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
==========================================================
For more information on the Television New Zealand Group, visit us
online at tvnz.co.nz 
==========================================================
CAUTION:  This e-mail and any attachment(s) contain information that
is intended to be read only by the named recipient(s).  This information
is not to be used or stored by any other person and/or organisation.

More information about the redhat-list mailing list