Re: Need to block port 1521 for all machines except one.

---

• From: Rohit khaladkar <rohit.khaladkar@xxxxxxxxx>
• Date: Tue, 7 Apr 2009 17:01:27 +0530

---

I can access the port from other machines too.
There are two machines :
Server A : Application Host
Server B : Database server

The requirement here is to have access to oracle database which uses port
1521 only to these two machines.So the rules should be such that 1521 should
be blocked to all other servers EXCEPT for these two machines (Server A and
Server B).

Please let me know if you need anymore information.

Appreciate all the help provided.

Thanks!
Rohit Khaladkar

On Tue, Apr 7, 2009 at 4:32 PM, Marti, Rob <RJM002@xxxxxxxx> wrote:

From: redhat-list-bounces@xxxxxxxxxx [redhat-list-bounces@xxxxxxxxxx] On
Behalf Of Rohit khaladkar [rohit.khaladkar@xxxxxxxxx]
Sent: Tuesday, April 07, 2009 02:05
To: General Red Hat Linux discussion list
Subject: Re: Need to block port 1521 for all machines except one.

Hi!I tried with these rules, but it doesn't work.Is there something that we
are missing in here.

On Mon, Apr 6, 2009 at 9:44 PM, Marti, Rob <RJM002@xxxxxxxx> wrote:

-----Original Message-----
From: redhat-list-bounces@xxxxxxxxxx [mailto:
redhat-list-bounces@xxxxxxxxxx] On Behalf Of Rohit khaladkar
Sent: Monday, April 06, 2009 11:08 AM
To: General Red Hat Linux discussion list
Subject: Re: Need to block port 1521 for all machines except one.

Thanks a lot!

Here they are :
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type timestamp-request -j
REJECT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type timestamp-reply -j
REJECT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j

ACCEPT

-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 514 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 1521 -j
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 1158 -j
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j
ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT


On Mon, Apr 6, 2009 at 9:21 PM, Barry Brimer <lists@xxxxxxxxxx> wrote:

iptables -A INPUT -s <ip address of first machine you want to allow> -p

tcp

--dport 1521 -j ACCEPT
iptables -A INPUT -s <ip address of second machine you want to allow>

-p

tcp
--dport 1521 -j ACCEPT
<continue as needed>
iptables -A INPUT -p tcp --dport 1521 -j DROP

Quoting Rohit khaladkar <rohit.khaladkar@xxxxxxxxx>:

Hi!You found that right. There were other iptable rules that were
conflicting. The following command worked.

iptables -A INPUT -s $1 -p tcp --dport 1521 -j ACCEPT
iptables -A INPUT -p tcp --dport 1521 -j DROP


But the problem the command gave me is I can't access the database

from

the

database server itself.

Is there any way out we can modify this command to work for two

machines.

Thanks!
Rohit Khaladkar

On Tue, Mar 31, 2009 at 5:21 PM, Barry Brimer <lists@xxxxxxxxxx>

wrote:

Hi All,As a security measure, I need to block port 1521on the

database

server , which is used by Oracle for all machines, except one.I

tried

using
the following commands to block the port, but for some reason it

is

not

working.Can someone please help me.


iptables -A INPUT -s $1 -p tcp --dport 1521 -j ACCEPT
iptables -A INPUT -p tcp --dport 1521 -j DROP

where $1 is the machine name or ip address of the machine which

needs

access
to the port.

I can't help but notice that you are using -A to append rules at

the

end of

your existing INPUT chain. Are there other firewall rules above

these

rules

that would be accepting the traffic before these rules are even

hit?

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx

?subject=unsubscribe

https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx

?subject=unsubscribe

https://www.redhat.com/mailman/listinfo/redhat-list

!DSPAM:49da2230189793619052188!

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

--------------------------------------------------------------------------

That makes no sense - Even ignoring the first line (the -I lo -j ACCEPT
one) you said that oracle won't accept connections from the local box?

This is what I would set it to:

-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type timestamp-request -j
REJECT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type timestamp-reply -j
REJECT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j

ACCEPT

-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 514 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -s <server1> -p tcp --dport 1521 -j ACCEPT
-A RH-Firewall-1-INPUT -s <server2> -p tcp --dport 1521 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 1158 -j
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j
ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

So all local traffic will be accepted (the -i lo line), the 2 servers
needed will be accepted (by calling them out specifically), and

everything

else (for 1521) will fall through to the reject line.

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

--------------------------------------------------------------------------------------------------
Define "doesn't work".

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

---

• Follow-Ups:
  • RE: Need to block port 1521 for all machines except one.
    • From: Geofrey Rainey

• References:
  • Re: Need to block port 1521 for all machines except one.
    • From: Rohit khaladkar
  • Re: Need to block port 1521 for all machines except one.
    • From: Barry Brimer
  • Re: Need to block port 1521 for all machines except one.
    • From: Rohit khaladkar
  • RE: Need to block port 1521 for all machines except one.
    • From: Marti, Rob
  • Re: Need to block port 1521 for all machines except one.
    • From: Rohit khaladkar
  • RE: Need to block port 1521 for all machines except one.
    • From: Marti, Rob

• Prev by Date: RE: Need to block port 1521 for all machines except one.
• Next by Date: RE: Need to block port 1521 for all machines except one.
• Previous by thread: RE: Need to block port 1521 for all machines except one.
• Next by thread: RE: Need to block port 1521 for all machines except one.
• Index(es):
  • Date
  • Thread

---

Relevant Pages Performance optimization vs satisficing (was Language Oriented Programming) ... >machines that were too small. ... Microsoft has been a leading offender here. ... >arcane issue for server engines. ... magnitude slower, yes, I recall working on a 200mb database, trying to ... (comp.object) Re: Cost of setting up a network ... A router capable of acting as a VPN endpoint for more than one user simultaneously with four Ethernet ports or a switch to suit. ... The rationale for using a server here is basically that the router doesn't need to be able to decide which PC to route the connection to. ... If you are using a router which supports it, you can set up a port-forwarding inbound rule which also _translates_ the port supplied to the receiving port. ... You can use several of these connections to different machines simultaneously. ... (uk.comp.homebuilt) Re: SQL2005: Cannot connect error 11001 ... user mapped to one database. ... Does the issue has to do with the login account / user ... Server connection. ... if you changed the port ... (microsoft.public.sqlserver.connect) DB Fault Tolerance - network connections ... a Perl server which talks to a PostgreSQL database on a different phys. ... block the port on the DB server, ... Note that I'm using iptables on the box that is running the Postgresql ... (perl.dbi.users) RE: Error 3085 Format$ being changed to [Format$] in query by one ... We are single-user database. ... The Boss wanted it there so the Network daily backup would ... the database on the Network server drive) will be a safe starting point. ... When you say it "works great from two different machines" do you mean that ... (microsoft.public.access.queries)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(17)