Solved

Can the firewall from linux (centOS 5) able to filter some of ip?

Posted on 2008-06-16
18
3,908 Views
Last Modified: 2013-12-15
Dear Sir/Madam

I just install an linux (centOS 5) with oracle 11g.
When I setup the firewall of an linux (centOS 5), I have an question.
My question is can I set the firewall only able to be access from some of ip through the port 1521 to linux (centOS 5)?
(e.g.) the port 1521 only accessable from  192.168.0.1,192.168.0.2,192.168.0.3 to my oracle server (centOS 5), all the others are denied, will it possible?

Thanks
Francis SZE
Screenshot.png
0
Comment
Question by:fsze88
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
  • 3
  • +1
18 Comments
 
LVL 19

Expert Comment

by:http:// thevpn.guru
ID: 21791780
using command line execute

iptables -A INPUT --source   192.168.0.1 -p tcp  --dport 1521 -j ACCEPT
iptables -A INPUT --source   192.168.0.2 -p tcp  --dport 1521 -j ACCEPT
iptables -A INPUT --source   192.168.0.3 -p tcp  --dport 1521 -j ACCEPT
iptables -A INPUT -p tcp  --dport 1521 -j DROP
0
 
LVL 13

Expert Comment

by:sonicefu
ID: 21791787
0
 
LVL 19

Expert Comment

by:http:// thevpn.guru
ID: 21791821
that is iptables, ipchains are outdated.
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 32

Assisted Solution

by:Kamran Arshad
Kamran Arshad earned 200 total points
ID: 21791823
Hi,

Yes you can allow and block IP address ranges in CentOS using IPTables. Please read the below article for howto:

http://wiki.centos.org/HowTos/Network/IPTables
0
 
LVL 19

Expert Comment

by:http:// thevpn.guru
ID: 21791832
Has anyone read my comment..the first one ?
0
 
LVL 13

Expert Comment

by:sonicefu
ID: 21791881
Important Commands
Commands.pdf
0
 
LVL 13

Expert Comment

by:sonicefu
ID: 21791885
Alternative Method
If you are using managed switch, you can achieve this goal by configuring access-list
0
 
LVL 15

Author Comment

by:fsze88
ID: 21792349
Dear Sir/Madam

I would like to know if I only accept 192.168.123.x to access linux (centOS 5) through the port 1521.
The only things I sould do is as following?

After that, all finished?
After saved (/sbin/service iptables save), after reboot, I would have same setting as before?
 iptables -F
 iptables -P INPUT DROP
 iptables -P FORWARD DROP
 iptables -P OUTPUT ACCEPT
 iptables -A INPUT -i lo -j ACCEPT
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
 iptables -A INPUT -s 192.168.123.0/24 -p tcp --dport 1521 -j ACCEPT  
 /sbin/service iptables save

Open in new window

0
 
LVL 19

Expert Comment

by:http:// thevpn.guru
ID: 21792369
yes however add

iptables -A INPUT -s  -p tcp --dport 1521 -j DROP

if you change your default policy to ACCEPT in future time.
0
 
LVL 15

Author Comment

by:fsze88
ID: 21792460
So, I run following command once all done!?
Also, I would like to know what's meaning of 24 from the command line
iptables -A INPUT -s 192.168.123.0/<b>24</b> -p tcp --dport 1521 -j ACCEPT  
 iptables -F
 iptables -P INPUT DROP
 iptables -P FORWARD DROP
 iptables -P OUTPUT ACCEPT
 iptables -A INPUT -i lo -j ACCEPT
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -A INPUT -i eth0 -j ACCEPT
 iptables -A INPUT -s 192.168.123.0/24 -p tcp --dport 1521 -j ACCEPT  # using standard slash notation
 iptables -A INPUT -s  -p tcp --dport 1521 -j DROP 
 
 /sbin/service iptables save

Open in new window

0
 
LVL 32

Expert Comment

by:Kamran Arshad
ID: 21792472
24 shows the number of bits used as network. Your IP address is class C address which has by default 24 bits for network and 8 bits for host.

xxxxxxxx.xxxxxxxx.xxxxxxxx.hhhhhhhh

Where x are network bits.
0
 
LVL 19

Accepted Solution

by:
http:// thevpn.guru earned 300 total points
ID: 21792473
The 24 you added means all IPs from 192.168.123.1 to 192.168.123.254

If you do not want that replace

iptables -A INPUT -s 192.168.123.0/24 -p tcp --dport 1521 -j ACCEPT

with

iptables -A INPUT --source   192.168.123.1 -p tcp  --dport 1521 -j ACCEPT
iptables -A INPUT --source   192.168.123.2 -p tcp  --dport 1521 -j ACCEPT
iptables -A INPUT --source   192.168.123.3 -p tcp  --dport 1521 -j ACCEPT
0
 
LVL 15

Author Comment

by:fsze88
ID: 21800319
Dear Sir/Madam

I would like to know the port number of samba?
Because I may need to share samba from the linux (centOS 5) to windows XP.

Thanks
Francis SZE
0
 
LVL 19

Expert Comment

by:http:// thevpn.guru
ID: 21800326
netbios-ns      137/tcp                        # NETBIOS Name Service
netbios-ns      137/udp
netbios-dgm      138/tcp                        # NETBIOS Datagram Service
netbios-dgm      138/udp
netbios-ssn      139/tcp                        # NETBIOS session service
netbios-ssn      139/udp
0
 
LVL 19

Expert Comment

by:http:// thevpn.guru
ID: 21800330
Hmm..and 445
0
 
LVL 15

Author Comment

by:fsze88
ID: 21809852
Dear sir/madam

Am I need to delete line7 "iptables -A INPUT -i eth0 -j ACCEPT"?

Is the following to open samba for anothers computer?

netbios-ns      137/tcp                        # NETBIOS Name Service
netbios-ns      137/udp
netbios-dgm      138/tcp                        # NETBIOS Datagram Service
netbios-dgm      138/udp
netbios-ssn      139/tcp                        # NETBIOS session service
netbios-ssn      139/udp

Manay Thanks
Francis SZE
0
 
LVL 15

Author Comment

by:fsze88
ID: 21810598
Dear sir/madam

I had input command as below , But the samba is not work fine.
anyone can help me!?

Many Thanks
Francis SZE
 iptables -F
 iptables -P INPUT DROP
 iptables -P FORWARD DROP
 iptables -P OUTPUT ACCEPT
 iptables -A INPUT -i lo -j ACCEPT
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
 iptables -A INPUT -s 192.168.123.0/24 -p tcp --dport 1521 -j ACCEPT  
 iptables -A INPUT -s 192.168.123.0/24 -p tcp --dport 445 -j ACCEPT  
 
 /sbin/service iptables save

Open in new window

access.PNG
0
 
LVL 15

Author Comment

by:fsze88
ID: 21830277
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
iptables -A INPUT -s 192.168.123.0/24 -p tcp --dport 1521 -j ACCEPT  
iptables -A INPUT -s 192.168.123.0/24 -p tcp --dport 445 -j ACCEPT  

iptables -A INPUT -s 192.168.123.0/24 -p tcp --dport 137 -j ACCEPT  
iptables -A INPUT -s 192.168.123.0/24 -p tcp --dport 138 -j ACCEPT  
iptables -A INPUT -s 192.168.123.0/24 -p tcp --dport 139 -j ACCEPT  
iptables -A INPUT -s 192.168.123.0/24 -p udp --dport 137 -j ACCEPT  
iptables -A INPUT -s 192.168.123.0/24 -p udp --dport 138 -j ACCEPT  
iptables -A INPUT -s 192.168.123.0/24 -p udp --dport 139 -j ACCEPT  
 
/sbin/service iptables save
0

Featured Post

Don't Miss ATEN at InfoComm 2017!

Visit booth #2167 to see the  new ATEN VM3200 32 x 32 Modular Matrix Switch. Other highlights include the VE8950 4K HDMI Over IP Extender, VS1912 12-Port DP Video Wall Media Player  and VK2100 ATEN Control System. Register now with Free Pass Code ATEN288!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Over the last ten+ years I have seen Linux configuration tools come and go. In the early days there was the tried-and-true, all-powerful linuxconf that many thought would remain the one and only Linux configuration tool until the end of times. Well,…
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question