Solved

Can the firewall from linux (centOS 5) able to filter some of ip?

Posted on 2008-06-16
18
3,903 Views
Last Modified: 2013-12-15
Dear Sir/Madam

I just install an linux (centOS 5) with oracle 11g.
When I setup the firewall of an linux (centOS 5), I have an question.
My question is can I set the firewall only able to be access from some of ip through the port 1521 to linux (centOS 5)?
(e.g.) the port 1521 only accessable from  192.168.0.1,192.168.0.2,192.168.0.3 to my oracle server (centOS 5), all the others are denied, will it possible?

Thanks
Francis SZE
Screenshot.png
0
Comment
Question by:fsze88
  • 7
  • 6
  • 3
  • +1
18 Comments
 
LVL 19

Expert Comment

by:http:// thevpn.guru
ID: 21791780
using command line execute

iptables -A INPUT --source   192.168.0.1 -p tcp  --dport 1521 -j ACCEPT
iptables -A INPUT --source   192.168.0.2 -p tcp  --dport 1521 -j ACCEPT
iptables -A INPUT --source   192.168.0.3 -p tcp  --dport 1521 -j ACCEPT
iptables -A INPUT -p tcp  --dport 1521 -j DROP
0
 
LVL 13

Expert Comment

by:sonicefu
ID: 21791787
0
 
LVL 19

Expert Comment

by:http:// thevpn.guru
ID: 21791821
that is iptables, ipchains are outdated.
0
 
LVL 32

Assisted Solution

by:Kamran Arshad
Kamran Arshad earned 200 total points
ID: 21791823
Hi,

Yes you can allow and block IP address ranges in CentOS using IPTables. Please read the below article for howto:

http://wiki.centos.org/HowTos/Network/IPTables
0
 
LVL 19

Expert Comment

by:http:// thevpn.guru
ID: 21791832
Has anyone read my comment..the first one ?
0
 
LVL 13

Expert Comment

by:sonicefu
ID: 21791881
Important Commands
Commands.pdf
0
 
LVL 13

Expert Comment

by:sonicefu
ID: 21791885
Alternative Method
If you are using managed switch, you can achieve this goal by configuring access-list
0
 
LVL 15

Author Comment

by:fsze88
ID: 21792349
Dear Sir/Madam

I would like to know if I only accept 192.168.123.x to access linux (centOS 5) through the port 1521.
The only things I sould do is as following?

After that, all finished?
After saved (/sbin/service iptables save), after reboot, I would have same setting as before?
 iptables -F

 iptables -P INPUT DROP

 iptables -P FORWARD DROP

 iptables -P OUTPUT ACCEPT

 iptables -A INPUT -i lo -j ACCEPT

 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 

 iptables -A INPUT -s 192.168.123.0/24 -p tcp --dport 1521 -j ACCEPT  

 /sbin/service iptables save

Open in new window

0
 
LVL 19

Expert Comment

by:http:// thevpn.guru
ID: 21792369
yes however add

iptables -A INPUT -s  -p tcp --dport 1521 -j DROP

if you change your default policy to ACCEPT in future time.
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 15

Author Comment

by:fsze88
ID: 21792460
So, I run following command once all done!?
Also, I would like to know what's meaning of 24 from the command line
iptables -A INPUT -s 192.168.123.0/<b>24</b> -p tcp --dport 1521 -j ACCEPT  
 iptables -F

 iptables -P INPUT DROP

 iptables -P FORWARD DROP

 iptables -P OUTPUT ACCEPT

 iptables -A INPUT -i lo -j ACCEPT

 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

 iptables -A INPUT -i eth0 -j ACCEPT

 iptables -A INPUT -s 192.168.123.0/24 -p tcp --dport 1521 -j ACCEPT  # using standard slash notation

 iptables -A INPUT -s  -p tcp --dport 1521 -j DROP 
 

 /sbin/service iptables save

Open in new window

0
 
LVL 32

Expert Comment

by:Kamran Arshad
ID: 21792472
24 shows the number of bits used as network. Your IP address is class C address which has by default 24 bits for network and 8 bits for host.

xxxxxxxx.xxxxxxxx.xxxxxxxx.hhhhhhhh

Where x are network bits.
0
 
LVL 19

Accepted Solution

by:
http:// thevpn.guru earned 300 total points
ID: 21792473
The 24 you added means all IPs from 192.168.123.1 to 192.168.123.254

If you do not want that replace

iptables -A INPUT -s 192.168.123.0/24 -p tcp --dport 1521 -j ACCEPT

with

iptables -A INPUT --source   192.168.123.1 -p tcp  --dport 1521 -j ACCEPT
iptables -A INPUT --source   192.168.123.2 -p tcp  --dport 1521 -j ACCEPT
iptables -A INPUT --source   192.168.123.3 -p tcp  --dport 1521 -j ACCEPT
0
 
LVL 15

Author Comment

by:fsze88
ID: 21800319
Dear Sir/Madam

I would like to know the port number of samba?
Because I may need to share samba from the linux (centOS 5) to windows XP.

Thanks
Francis SZE
0
 
LVL 19

Expert Comment

by:http:// thevpn.guru
ID: 21800326
netbios-ns      137/tcp                        # NETBIOS Name Service
netbios-ns      137/udp
netbios-dgm      138/tcp                        # NETBIOS Datagram Service
netbios-dgm      138/udp
netbios-ssn      139/tcp                        # NETBIOS session service
netbios-ssn      139/udp
0
 
LVL 19

Expert Comment

by:http:// thevpn.guru
ID: 21800330
Hmm..and 445
0
 
LVL 15

Author Comment

by:fsze88
ID: 21809852
Dear sir/madam

Am I need to delete line7 "iptables -A INPUT -i eth0 -j ACCEPT"?

Is the following to open samba for anothers computer?

netbios-ns      137/tcp                        # NETBIOS Name Service
netbios-ns      137/udp
netbios-dgm      138/tcp                        # NETBIOS Datagram Service
netbios-dgm      138/udp
netbios-ssn      139/tcp                        # NETBIOS session service
netbios-ssn      139/udp

Manay Thanks
Francis SZE
0
 
LVL 15

Author Comment

by:fsze88
ID: 21810598
Dear sir/madam

I had input command as below , But the samba is not work fine.
anyone can help me!?

Many Thanks
Francis SZE
 iptables -F

 iptables -P INPUT DROP

 iptables -P FORWARD DROP

 iptables -P OUTPUT ACCEPT

 iptables -A INPUT -i lo -j ACCEPT

 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 

 iptables -A INPUT -s 192.168.123.0/24 -p tcp --dport 1521 -j ACCEPT  

 iptables -A INPUT -s 192.168.123.0/24 -p tcp --dport 445 -j ACCEPT  
 

 /sbin/service iptables save

Open in new window

access.PNG
0
 
LVL 15

Author Comment

by:fsze88
ID: 21830277
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
iptables -A INPUT -s 192.168.123.0/24 -p tcp --dport 1521 -j ACCEPT  
iptables -A INPUT -s 192.168.123.0/24 -p tcp --dport 445 -j ACCEPT  

iptables -A INPUT -s 192.168.123.0/24 -p tcp --dport 137 -j ACCEPT  
iptables -A INPUT -s 192.168.123.0/24 -p tcp --dport 138 -j ACCEPT  
iptables -A INPUT -s 192.168.123.0/24 -p tcp --dport 139 -j ACCEPT  
iptables -A INPUT -s 192.168.123.0/24 -p udp --dport 137 -j ACCEPT  
iptables -A INPUT -s 192.168.123.0/24 -p udp --dport 138 -j ACCEPT  
iptables -A INPUT -s 192.168.123.0/24 -p udp --dport 139 -j ACCEPT  
 
/sbin/service iptables save
0

Featured Post

Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Guacamole cut and paste issue 3 42
Assess most serious Linux privilege escalation bug 17 144
Install Dell OpenManage on Ubuntu PowerEdge R410 3 40
Linux Scripting 3 95
How many times have you wanted to quickly do the same thing to a list but found yourself typing it again and again? I first figured out a small time saver with the up arrow to recall the last command but that can only get you so far if you have a bi…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now