RE: Need to block port 1521 for all machines except one.

---

• From: "Marti, Rob" <RJM002@xxxxxxxx>
• Date: Mon, 6 Apr 2009 11:14:34 -0500

---

-----Original Message-----
From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Rohit khaladkar
Sent: Monday, April 06, 2009 11:08 AM
To: General Red Hat Linux discussion list
Subject: Re: Need to block port 1521 for all machines except one.

Thanks a lot!

Here they are :
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type timestamp-request -j
REJECT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type timestamp-reply -j REJECT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 514 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 1521 -j
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 1158 -j
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j
ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT


On Mon, Apr 6, 2009 at 9:21 PM, Barry Brimer <lists@xxxxxxxxxx> wrote:

iptables -A INPUT -s <ip address of first machine you want to allow> -p tcp
--dport 1521 -j ACCEPT
iptables -A INPUT -s <ip address of second machine you want to allow> -p
tcp
--dport 1521 -j ACCEPT
<continue as needed>
iptables -A INPUT -p tcp --dport 1521 -j DROP

Quoting Rohit khaladkar <rohit.khaladkar@xxxxxxxxx>:

Hi!You found that right. There were other iptable rules that were
conflicting. The following command worked.

iptables -A INPUT -s $1 -p tcp --dport 1521 -j ACCEPT
iptables -A INPUT -p tcp --dport 1521 -j DROP


But the problem the command gave me is I can't access the database from

the

database server itself.

Is there any way out we can modify this command to work for two machines.


Thanks!
Rohit Khaladkar

On Tue, Mar 31, 2009 at 5:21 PM, Barry Brimer <lists@xxxxxxxxxx> wrote:

Hi All,As a security measure, I need to block port 1521on the database

server , which is used by Oracle for all machines, except one.I tried
using
the following commands to block the port, but for some reason it is

not

working.Can someone please help me.


iptables -A INPUT -s $1 -p tcp --dport 1521 -j ACCEPT
iptables -A INPUT -p tcp --dport 1521 -j DROP

where $1 is the machine name or ip address of the machine which needs
access
to the port.

I can't help but notice that you are using -A to append rules at the

end of

your existing INPUT chain. Are there other firewall rules above these

rules

that would be accepting the traffic before these rules are even hit?


--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

!DSPAM:49da2230189793619052188!

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

--------------------------------------------------------------------------
That makes no sense - Even ignoring the first line (the -I lo -j ACCEPT one) you said that oracle won't accept connections from the local box?

This is what I would set it to:

-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type timestamp-request -j REJECT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type timestamp-reply -j REJECT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 514 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -s <server1> -p tcp --dport 1521 -j ACCEPT
-A RH-Firewall-1-INPUT -s <server2> -p tcp --dport 1521 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 1158 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

So all local traffic will be accepted (the -i lo line), the 2 servers needed will be accepted (by calling them out specifically), and everything else (for 1521) will fall through to the reject line.

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

---

• Follow-Ups:
  • Re: Need to block port 1521 for all machines except one.
    • From: Rohit khaladkar

• References:
  • Re: Need to block port 1521 for all machines except one.
    • From: Rohit khaladkar
  • Re: Need to block port 1521 for all machines except one.
    • From: Barry Brimer
  • Re: Need to block port 1521 for all machines except one.
    • From: Rohit khaladkar

• Prev by Date: Re: Need to block port 1521 for all machines except one.
• Next by Date: yum issue
• Previous by thread: Re: Need to block port 1521 for all machines except one.
• Next by thread: Re: Need to block port 1521 for all machines except one.
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: Need to block port 1521 for all machines except one. ... Need to block port 1521 for all machines except one. ... There were other iptable rules that were ... The following command worked. ... Is there any way out we can modify this command to work for two machines. ... (RedHat) Re: File sharing ... If you get an access denied message to the administrative share that would indicate that you are not a local administrator on the computer or that simple file sharing is enabled. ... I would also use telnet to try and access TCP port 139 and 445 on a machine that works correctly and one that does not to help determine if it is a network access or other problem. ... If the port is open you will see a blank command window with a blinking cursor like you will see if you run telnet 127.0.0.1 445 on your computer. ... Most machines here this configuration works fine. ... (microsoft.public.windowsxp.security_admin) RE: Need to block port 1521 for all machines except one. ... Need to block port 1521 for all machines except one. ... The following command worked. ... (RedHat) Re: File sharing ... >>> firewall, but it doesn't work. ... >>> machines here this configuration works fine. ... I would also use telnet to try and access TCP port 139 and 445 on a machine that works correctly and one that does not to help determine if it is a network access or other problem. ... If the port is open you will see a blank command window with a blinking cursor like you will see if you run telnet 127.0.0.1 445 on your computer. ... (microsoft.public.windowsxp.security_admin) Re: File sharing ... Try running the command netsh firewall show state on a computer that has the ... If the port is open you will see a blank ... Most machines here this ... (microsoft.public.windowsxp.security_admin)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Mailing-Lists
• Newsgroups
• About
• Privacy
• Search
• Imprint

linux.derkeiler.com  > Mailing-Lists  > RedHat  > 2009-04