Restrict access to a particular server.

Mon Oct 20 14:42:57 UTC 2008

Not sure Oracle allows tcpwrappers...

Rob Marti

I'd do -A INPUT -s !machine_A -p tcp --dport 1521 -j DROP
If you're only ever going to give one box access to the database.

-----Original Message-----
From: redhat-list-bounces at redhat.com [mailto:redhat-list-bounces at redhat.com] On Behalf Of Ryan Golhar
Sent: Monday, October 20, 2008 8:58 AM
To: General Red Hat Linux discussion list
Subject: Re: Restrict access to a particular server.

Why not use hosts.allow/hosts.deny from xinetd?   I allow port 22 access
via iptables, but use xinetd to restrict access by host.  The reason for this is there seems to be a lot of spoofing attempts

Rohit khaladkar wrote:
> Great! This helps!! Thanks a lot!!
> Rohit
>
> On Mon, Oct 20, 2008 at 3:45 PM, Stephen Gilbert <linuxelf at gmail.com> wrote:
>
>> You can either set your default policy to drop
>>
>> iptables -P INPUT DROP
>>
>> This would drop all packets from all servers by default.  Then the
>>
>> iptables -A INPUT -s machine_A -p tcp --dport 1521 -j ACCEPT
>>
>> would accept only packets from machine_A into Oracle.
>>
>> You may want to add a few more ports, such as 22 for ssh access.
>>
>> Alternately, you could add
>>
>> iptables -A INPUT -s machine_A -p tcp --dport 1521 -j ACCEPT iptables
>> -A INPUT -p tcp --dport 1521 -j DROP
>>
>> Baseically, this says machine A can hit 1521, but anyone else that
>> tries, just drop the packet.
>>
>> Rohit khaladkar wrote:
>>> Thanks Geoff!! This would definitely help. So can there cannot be a
>> master
>>> rule on the  which would prevent all ip adresses except one.(machine A)?
>>> Thanks!
>>> Rohit
>>>
>>> On Mon, Oct 20, 2008 at 2:07 PM, Geofrey Rainey
>>> <Geofrey.Rainey at tvnz.co.nz>wrote:
>>>
>>>
>>>> You want something like this:
>>>>
>>>> Iptables -A INPUT -s machine_A -p tcp --dport 1521 -j ACCEPT
>>>>
>>>> This rule means allow access to port 1521 from IP machine_A.
>>>> Of course this rule alone will not prevent all-and-sundry from
>>>> Connecting to the server on any port, so you'll need to add Many
>>>> more rules to secure your server.
>>>>
>>>> Regards,
>>>> Geoff.
>>>>
>>>> -----Original Message-----
>>>> From: redhat-list-bounces at redhat.com
>>>> [mailto:redhat-list-bounces at redhat.com] On Behalf Of Rohit
>>>> khaladkar
>>>> Sent: Monday, 20 October 2008 8:10 p.m.
>>>> To: General Red Hat Linux discussion list
>>>> Subject: Restrict access to a particular server.
>>>>
>>>> Hi All,I have two machines with Red Hat linux 5.2 installed of
>>>> which one is a database server running Oracle 10.0.4 on it. I need
>>>> a iptable rule which would make sure that only the other machine
>>>> would have access to it.
>>>>
>>>> For eg : If I have two macihnes, machine A and machine B, of which
>>>> machine B is a database server, can I setup a iptable rule on
>>>> machine B , which would allow access to the database only by machine A.
>>>>
>>>> Please help.
>>>>
>>>> Thanks!
>>>> Rohit Khaladkar
>>>> --
>>>> redhat-list mailing list
>>>> unsubscribe
>>>> mailto:redhat-list-request at redhat.com?subject=unsubscribe
>>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>> ==========================================================
>>>> For more information on the Television New Zealand Group, visit us
>>>> online at tvnz.co.nz
>>>> ==========================================================
>>>> CAUTION:  This e-mail and any attachment(s) contain information
>>>> that is intended to be read only by the named recipient(s).  This
>>>> information is not to be used or stored by any other person and/or organisation.
>>>>
>>>>
>>>> --
>>>> redhat-list mailing list
>>>> unsubscribe
>>>> mailto:redhat-list-request at redhat.com?subject=unsubscribe
>>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>>
>>>>
>> --
>> redhat-list mailing list
>> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>> https://www.redhat.com/mailman/listinfo/redhat-list
>>