Re: Need to block port 1521 for all machines except one.

From: Rohit khaladkar <rohit.khaladkar@xxxxxxxxx>
Date: Tue, 7 Apr 2009 18:17:22 +0530

Hi!I tried using these rules. My iptables rules look like below (Check the
bold part). If I use this I can login to the database only through the
Database server , but not through the Application server. Please let me know
if I missed anything important here.

-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type timestamp-request -j
REJECT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type timestamp-reply -j REJECT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 514 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 1521 -j
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 1158 -j
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j
ACCEPT
-A INPUT -s 148.147.172.226 -p tcp --dport 1521 -j ACCEPT
-A INPUT -s 148.147.172.227 -p tcp --dport 1521 -j ACCEPT
-A INPUT -j DROP
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Tue Jan 29 10:32:53 2008

On Tue, Apr 7, 2009 at 5:14 PM, Geofrey Rainey <Geofrey.Rainey@xxxxxxxxxx>wrote:

I don't understand what the big problem is, am I missing something?

Here's what you need to do:

iptables -A INPUT -s SERVERA -p tcp --dport 1521 -j ACCEPT
iptables -A INPUT -s SERVERB -p tcp --dport 1521 -j ACCEPT
<ADD OTHER RULES HERE>
iptables -A INPUT -j DROP

Regards,
Geoff.

-----Original Message-----
From: redhat-list-bounces@xxxxxxxxxx
[mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Rohit khaladkar
Sent: Tuesday, 7 April 2009 11:31 p.m.
To: General Red Hat Linux discussion list
Subject: Re: Need to block port 1521 for all machines except one.

I can access the port from other machines too.
There are two machines :
Server A : Application Host
Server B : Database server

The requirement here is to have access to oracle database which uses
port
1521 only to these two machines.So the rules should be such that 1521
should be blocked to all other servers EXCEPT for these two machines
(Server A and Server B).

Please let me know if you need anymore information.

Appreciate all the help provided.

Thanks!
Rohit Khaladkar

On Tue, Apr 7, 2009 at 4:32 PM, Marti, Rob <RJM002@xxxxxxxx> wrote:

From: redhat-list-bounces@xxxxxxxxxx [redhat-list-bounces@xxxxxxxxxx]
On Behalf Of Rohit khaladkar [rohit.khaladkar@xxxxxxxxx]
Sent: Tuesday, April 07, 2009 02:05
To: General Red Hat Linux discussion list
Subject: Re: Need to block port 1521 for all machines except one.

Hi!I tried with these rules, but it doesn't work.Is there something
that we are missing in here.

On Mon, Apr 6, 2009 at 9:44 PM, Marti, Rob <RJM002@xxxxxxxx> wrote:

-----Original Message-----
From: redhat-list-bounces@xxxxxxxxxx [mailto:
redhat-list-bounces@xxxxxxxxxx] On Behalf Of Rohit khaladkar
Sent: Monday, April 06, 2009 11:08 AM
To: General Red Hat Linux discussion list
Subject: Re: Need to block port 1521 for all machines except one.

Thanks a lot!

Here they are :
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p
icmp -m icmp --icmp-type timestamp-request -j REJECT -A
RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type timestamp-reply -j
REJECT -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j
ACCEPT -A RH-Firewall-1-INPUT -p esp -j ACCEPT -A
RH-Firewall-1-INPUT -p ah -j ACCEPT -A RH-Firewall-1-INPUT -d
224.0.0.251 -p udp -m udp --dport 5353 -j

ACCEPT

-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A
RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A
RH-Firewall-1-INPUT -p udp -m udp --dport 514 -j ACCEPT -A
RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport
1521 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m

tcp --dport 1158 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state
--state NEW -m tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j
REJECT --reject-with icmp-host-prohibited COMMIT

On Mon, Apr 6, 2009 at 9:21 PM, Barry Brimer <lists@xxxxxxxxxx>

wrote:

iptables -A INPUT -s <ip address of first machine you want to

allow> -p

tcp

--dport 1521 -j ACCEPT
iptables -A INPUT -s <ip address of second machine you want to

allow>

-p

tcp
--dport 1521 -j ACCEPT
<continue as needed>
iptables -A INPUT -p tcp --dport 1521 -j DROP

Quoting Rohit khaladkar <rohit.khaladkar@xxxxxxxxx>:

Hi!You found that right. There were other iptable rules that

were

conflicting. The following command worked.

iptables -A INPUT -s $1 -p tcp --dport 1521 -j ACCEPT
iptables -A INPUT -p tcp --dport 1521 -j DROP

But the problem the command gave me is I can't access the

database

from

the

database server itself.

Is there any way out we can modify this command to work for two

machines.

Thanks!
Rohit Khaladkar

On Tue, Mar 31, 2009 at 5:21 PM, Barry Brimer <lists@xxxxxxxxxx>

wrote:

Hi All,As a security measure, I need to block port 1521on the

database

server , which is used by Oracle for all machines, except

one.I

tried

using
the following commands to block the port, but for some reason

it

is

not

working.Can someone please help me.

iptables -A INPUT -s $1 -p tcp --dport 1521 -j ACCEPT
iptables -A INPUT -p tcp --dport 1521 -j DROP

where $1 is the machine name or ip address of the machine

which

needs

access
to the port.

I can't help but notice that you are using -A to append rules

at

the

end of

your existing INPUT chain. Are there other firewall rules

above

these

rules

that would be accepting the traffic before these rules are

even

hit?

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx

?subject=unsubscribe

https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx

?subject=unsubscribe

https://www.redhat.com/mailman/listinfo/redhat-list

!DSPAM:49da2230189793619052188!

--
redhat-list mailing list
unsubscribe

mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe

https://www.redhat.com/mailman/listinfo/redhat-list

------------------------------------------------------------------------
--

That makes no sense - Even ignoring the first line (the -I lo -j

ACCEPT

one) you said that oracle won't accept connections from the local

box?

This is what I would set it to:

-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type timestamp-request

-j

REJECT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type timestamp-reply

-j

REJECT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j

ACCEPT

-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 514 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j

ACCEPT

-A RH-Firewall-1-INPUT -s <server1> -p tcp --dport 1521 -j ACCEPT
-A RH-Firewall-1-INPUT -s <server2> -p tcp --dport 1521 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport

1158 -j

ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22

-j

ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

So all local traffic will be accepted (the -i lo line), the 2

servers

needed will be accepted (by calling them out specifically), and

everything

else (for 1521) will fall through to the reject line.

--
redhat-list mailing list
unsubscribe

mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe

https://www.redhat.com/mailman/listinfo/redhat-list

------------------------------------------------------------------------
--------------------------

Define "doesn't work".

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
==========================================================
For more information on the Television New Zealand Group, visit us
online at tvnz.co.nz
==========================================================
CAUTION: This e-mail and any attachment(s) contain information that
is intended to be read only by the named recipient(s). This information
is not to be used or stored by any other person and/or organisation.

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

Follow-Ups:
- RE: Need to block port 1521 for all machines except one.
  - From: Geofrey Rainey

References:
- Re: Need to block port 1521 for all machines except one.
  - From: Rohit khaladkar
- Re: Need to block port 1521 for all machines except one.
  - From: Barry Brimer
- Re: Need to block port 1521 for all machines except one.
  - From: Rohit khaladkar
- RE: Need to block port 1521 for all machines except one.
  - From: Marti, Rob
- Re: Need to block port 1521 for all machines except one.
  - From: Rohit khaladkar
- RE: Need to block port 1521 for all machines except one.
  - From: Marti, Rob
- Re: Need to block port 1521 for all machines except one.
  - From: Rohit khaladkar
- RE: Need to block port 1521 for all machines except one.
  - From: Geofrey Rainey

Prev by Date: how to read the vsftpd.log
Next by Date: Re: how to read the vsftpd.log
Previous by thread: RE: Need to block port 1521 for all machines except one.
Next by thread: RE: Need to block port 1521 for all machines except one.
Index(es):
- Date
- Thread

Relevant Pages

Performance optimization vs satisficing (was Language Oriented Programming)
... >machines that were too small. ... Microsoft has been a leading offender here. ... >arcane issue for server engines. ... magnitude slower, yes, I recall working on a 200mb database, trying to ...
(comp.object)
Re: Cost of setting up a network
... A router capable of acting as a VPN endpoint for more than one user simultaneously with four Ethernet ports or a switch to suit. ... The rationale for using a server here is basically that the router doesn't need to be able to decide which PC to route the connection to. ... If you are using a router which supports it, you can set up a port-forwarding inbound rule which also _translates_ the port supplied to the receiving port. ... You can use several of these connections to different machines simultaneously. ...
(uk.comp.homebuilt)
Re: Need to block port 1521 for all machines except one.
... I can access the port from other machines too. ... Server A: Application Host ... The requirement here is to have access to oracle database which uses port ...
(RedHat)
Re: SQL2005: Cannot connect error 11001
... user mapped to one database. ... Does the issue has to do with the login account / user ... Server connection. ... if you changed the port ...
(microsoft.public.sqlserver.connect)
RE: Error 3085 Format$ being changed to [Format$] in query by one
... We are single-user database. ... The Boss wanted it there so the Network daily backup would ... the database on the Network server drive) will be a safe starting point. ... When you say it "works great from two different machines" do you mean that ...
(microsoft.public.access.queries)