?
Solved

Can the firewall from linux (centOS 5) able to filter some of ip?

Posted on 2008-06-16
18
Medium Priority
?
3,909 Views
Last Modified: 2013-12-15
Dear Sir/Madam

I just install an linux (centOS 5) with oracle 11g.
When I setup the firewall of an linux (centOS 5), I have an question.
My question is can I set the firewall only able to be access from some of ip through the port 1521 to linux (centOS 5)?
(e.g.) the port 1521 only accessable from  192.168.0.1,192.168.0.2,192.168.0.3 to my oracle server (centOS 5), all the others are denied, will it possible?

Thanks
Francis SZE
Screenshot.png
0
Comment
Question by:fsze88
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
  • 3
  • +1
18 Comments
 
LVL 19

Expert Comment

by:http:// thevpn.guru
ID: 21791780
using command line execute

iptables -A INPUT --source   192.168.0.1 -p tcp  --dport 1521 -j ACCEPT
iptables -A INPUT --source   192.168.0.2 -p tcp  --dport 1521 -j ACCEPT
iptables -A INPUT --source   192.168.0.3 -p tcp  --dport 1521 -j ACCEPT
iptables -A INPUT -p tcp  --dport 1521 -j DROP
0
 
LVL 13

Expert Comment

by:sonicefu
ID: 21791787
0
 
LVL 19

Expert Comment

by:http:// thevpn.guru
ID: 21791821
that is iptables, ipchains are outdated.
0
Don't Cry: How Liquid Web is Ensuring Security

WannaCry is just the start. Read how Liquid Web is protecting itself and its customers against new threats.

 
LVL 32

Assisted Solution

by:Kamran Arshad
Kamran Arshad earned 800 total points
ID: 21791823
Hi,

Yes you can allow and block IP address ranges in CentOS using IPTables. Please read the below article for howto:

http://wiki.centos.org/HowTos/Network/IPTables
0
 
LVL 19

Expert Comment

by:http:// thevpn.guru
ID: 21791832
Has anyone read my comment..the first one ?
0
 
LVL 13

Expert Comment

by:sonicefu
ID: 21791881
Important Commands
Commands.pdf
0
 
LVL 13

Expert Comment

by:sonicefu
ID: 21791885
Alternative Method
If you are using managed switch, you can achieve this goal by configuring access-list
0
 
LVL 15

Author Comment

by:fsze88
ID: 21792349
Dear Sir/Madam

I would like to know if I only accept 192.168.123.x to access linux (centOS 5) through the port 1521.
The only things I sould do is as following?

After that, all finished?
After saved (/sbin/service iptables save), after reboot, I would have same setting as before?
 iptables -F
 iptables -P INPUT DROP
 iptables -P FORWARD DROP
 iptables -P OUTPUT ACCEPT
 iptables -A INPUT -i lo -j ACCEPT
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
 iptables -A INPUT -s 192.168.123.0/24 -p tcp --dport 1521 -j ACCEPT  
 /sbin/service iptables save

Open in new window

0
 
LVL 19

Expert Comment

by:http:// thevpn.guru
ID: 21792369
yes however add

iptables -A INPUT -s  -p tcp --dport 1521 -j DROP

if you change your default policy to ACCEPT in future time.
0
 
LVL 15

Author Comment

by:fsze88
ID: 21792460
So, I run following command once all done!?
Also, I would like to know what's meaning of 24 from the command line
iptables -A INPUT -s 192.168.123.0/<b>24</b> -p tcp --dport 1521 -j ACCEPT  
 iptables -F
 iptables -P INPUT DROP
 iptables -P FORWARD DROP
 iptables -P OUTPUT ACCEPT
 iptables -A INPUT -i lo -j ACCEPT
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -A INPUT -i eth0 -j ACCEPT
 iptables -A INPUT -s 192.168.123.0/24 -p tcp --dport 1521 -j ACCEPT  # using standard slash notation
 iptables -A INPUT -s  -p tcp --dport 1521 -j DROP 
 
 /sbin/service iptables save

Open in new window

0
 
LVL 32

Expert Comment

by:Kamran Arshad
ID: 21792472
24 shows the number of bits used as network. Your IP address is class C address which has by default 24 bits for network and 8 bits for host.

xxxxxxxx.xxxxxxxx.xxxxxxxx.hhhhhhhh

Where x are network bits.
0
 
LVL 19

Accepted Solution

by:
http:// thevpn.guru earned 1200 total points
ID: 21792473
The 24 you added means all IPs from 192.168.123.1 to 192.168.123.254

If you do not want that replace

iptables -A INPUT -s 192.168.123.0/24 -p tcp --dport 1521 -j ACCEPT

with

iptables -A INPUT --source   192.168.123.1 -p tcp  --dport 1521 -j ACCEPT
iptables -A INPUT --source   192.168.123.2 -p tcp  --dport 1521 -j ACCEPT
iptables -A INPUT --source   192.168.123.3 -p tcp  --dport 1521 -j ACCEPT
0
 
LVL 15

Author Comment

by:fsze88
ID: 21800319
Dear Sir/Madam

I would like to know the port number of samba?
Because I may need to share samba from the linux (centOS 5) to windows XP.

Thanks
Francis SZE
0
 
LVL 19

Expert Comment

by:http:// thevpn.guru
ID: 21800326
netbios-ns      137/tcp                        # NETBIOS Name Service
netbios-ns      137/udp
netbios-dgm      138/tcp                        # NETBIOS Datagram Service
netbios-dgm      138/udp
netbios-ssn      139/tcp                        # NETBIOS session service
netbios-ssn      139/udp
0
 
LVL 19

Expert Comment

by:http:// thevpn.guru
ID: 21800330
Hmm..and 445
0
 
LVL 15

Author Comment

by:fsze88
ID: 21809852
Dear sir/madam

Am I need to delete line7 "iptables -A INPUT -i eth0 -j ACCEPT"?

Is the following to open samba for anothers computer?

netbios-ns      137/tcp                        # NETBIOS Name Service
netbios-ns      137/udp
netbios-dgm      138/tcp                        # NETBIOS Datagram Service
netbios-dgm      138/udp
netbios-ssn      139/tcp                        # NETBIOS session service
netbios-ssn      139/udp

Manay Thanks
Francis SZE
0
 
LVL 15

Author Comment

by:fsze88
ID: 21810598
Dear sir/madam

I had input command as below , But the samba is not work fine.
anyone can help me!?

Many Thanks
Francis SZE
 iptables -F
 iptables -P INPUT DROP
 iptables -P FORWARD DROP
 iptables -P OUTPUT ACCEPT
 iptables -A INPUT -i lo -j ACCEPT
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
 iptables -A INPUT -s 192.168.123.0/24 -p tcp --dport 1521 -j ACCEPT  
 iptables -A INPUT -s 192.168.123.0/24 -p tcp --dport 445 -j ACCEPT  
 
 /sbin/service iptables save

Open in new window

access.PNG
0
 
LVL 15

Author Comment

by:fsze88
ID: 21830277
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
iptables -A INPUT -s 192.168.123.0/24 -p tcp --dport 1521 -j ACCEPT  
iptables -A INPUT -s 192.168.123.0/24 -p tcp --dport 445 -j ACCEPT  

iptables -A INPUT -s 192.168.123.0/24 -p tcp --dport 137 -j ACCEPT  
iptables -A INPUT -s 192.168.123.0/24 -p tcp --dport 138 -j ACCEPT  
iptables -A INPUT -s 192.168.123.0/24 -p tcp --dport 139 -j ACCEPT  
iptables -A INPUT -s 192.168.123.0/24 -p udp --dport 137 -j ACCEPT  
iptables -A INPUT -s 192.168.123.0/24 -p udp --dport 138 -j ACCEPT  
iptables -A INPUT -s 192.168.123.0/24 -p udp --dport 139 -j ACCEPT  
 
/sbin/service iptables save
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
In part one, we reviewed the prerequisites required for installing SQL Server vNext. In this part we will explore how to install Microsoft's SQL Server on Ubuntu 16.04.
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Suggested Courses
Course of the Month7 days, 23 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question