This discussion is archived
1 2 Previous Next 25 Replies Latest reply: Feb 12, 2008 7:24 AM by 622513 Go to original post RSS
  • 15. Re: trigger for IP based restriction
    KeithJamieson Expert
    Currently Being Moderated
    Are you trying to restrict access from inhouse Dba's?
  • 16. Re: trigger for IP based restriction
    60660 Journeyer
    Currently Being Moderated
    Billy gave you a detailed explanation why your solution inside the database is flawed and how it could be compromised. You have been given several suggestions and hints how to attack that problem - restricting access to your database in a safe way - and your answers seem to indicate that you either can't or won't listen to people who have dealt with such issues. Your choice of course, but helping you with your problem then seems rather futile.

    C.
  • 17. Re: trigger for IP based restriction
    622296 Newbie
    Currently Being Moderated
    Hi,
    Leaving DBA restriction aside, I just want to restrict other machines accessing my server.
    Can i go for the same???
    Changed I did with sqlnet.ora are:

    tcp.validnode_checking=yes
    tcp.invited_nodes=(192.168.0.212,192.168.15.18)

    Reloaded the listener. It's still allowing access to other machines.
    What else I need to do?
  • 18. Re: trigger for IP based restriction
    BillyVerreynne Oracle ACE
    Currently Being Moderated
    > Leaving DBA restriction aside, I just want to restrict other machines accessing my server.

    That is done using a firewall. Plain and simple.

    And please do not give another head-up-backside response to something so elementary to grasp.

    PS. And if you are running a Linux kernel with iptables enabled, I will gladly post you a basic firewall script to do exactly this.
  • 19. Re: trigger for IP based restriction
    622513 Newbie
    Currently Being Moderated
    which machine you still can access the database?
    tcp.invited_nodes=(192.168.0.212,192.168.15.18)
    off course you can access from 192.168.0.212,192.168.15.18
  • 20. Re: trigger for IP based restriction
    622296 Newbie
    Currently Being Moderated
    Hi Billy,
    Thanks... I would like to receive tat script!!!
    N good 2 see your reply...

    ITDIGGER,
    I've already mentioned that "other machines" means machines except these two.
  • 21. Re: trigger for IP based restriction
    622513 Newbie
    Currently Being Moderated
    vi /etc/sysconfig/iptables and add
    -A INPUT -s 192.168.18.200 -p tcp --dport 1521 -j DROP                                                                                                                                                                                   
  • 22. Re: trigger for IP based restriction
    622296 Newbie
    Currently Being Moderated
    Hi,
    I've tried out this syntax.
    Yet I'm able to login through other machines. :(
  • 23. Re: trigger for IP based restriction
    BillyVerreynne Oracle ACE
    Currently Being Moderated
    Here is the basic template of a firewall script, using iptables, that I have written for our RHEL (RedHat Enterprise Linux) servers.

    Save it as /etc/init.d/firewall and use chkconfig to configure it as a service to be managed (started and shutdown) by the initd daemon.

    This iptable rules are based on an firewall script written by Tim McCoy, which in turn was adapted from the Atomic Firewall script.

    You will need to modify parts of it for your own use. E.g. only eth0 is supported, only ssh, Oracle and web ports are opened, etc. On many of our servers we are using 3 network interfaces and on some there are numerous NAT rules too. However, the following suffices IMO as a basic template to start from.

    #! /bin/sh
    #
    # firewall starts/stops local iptables firewall
    #
    # chkconfig: 2345 08 92
    # description: Starts, stops and saves iptables firewall
    #
    # usage: Redhat Enterprise Linux. See chkconfig manpage for details.


    # Source function library.
    [ -f /etc/init.d/functions ] && . /etc/init.d/functions


    # variables
    ANY=0.0.0.0/0
    IPTABLES=/sbin/iptables
    MODPROBE=/sbin/modprobe


    # ---------------------------------------------------------------------------------------------
    SetIPstack()
    {
    # Set proc values for TCP/IP. In order:
    # Disable IP spoofing attacks
    # Ignore broadcast pings
    # Block source routing
    # Kill redirects
    # Set acceptable local port range

    echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter
    echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
    echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
    echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
    }

    # ---------------------------------------------------------------------------------------------
    FlushFirewall()
    {
    # Flush everything

    $IPTABLES -F INPUT
    $IPTABLES -F OUTPUT
    $IPTABLES -F FORWARD
    $IPTABLES -t nat -F
    $IPTABLES -t mangle -F
    }


    # ---------------------------------------------------------------------------------------------
    DefaultPolicy()
    {
    # Drop everything on INPUT and FORWARD chains, accept OUTPUT

    $IPTABLES -P INPUT DROP
    $IPTABLES -P FORWARD DROP
    $IPTABLES -P OUTPUT ACCEPT
    }


    # ---------------------------------------------------------------------------------------------
    AllowAll()
    {
    # No firewall policy - allow everything (flush first)
    $IPTABLES -P INPUT ACCEPT
    $IPTABLES -P FORWARD ACCEPT
    $IPTABLES -P OUTPUT ACCEPT
    }


    # ---------------------------------------------------------------------------------------------
    ConfigInputChain()
    {
    # Deny specific IP addresses, e.g. deny 10.251.93.89 access
    # $IPTABLES -A INPUT -i eth0 --source 10.251.93.89 -j DROP

    # Allow ssh
    $IPTABLES -A INPUT -p tcp --dport 22 -i eth0 -j ACCEPT

    # Allow Oracle's default listener port
    $IPTABLES -A INPUT -p tcp --dport 1521 -i eth0 -j ACCEPT

    # Allow web traffic
    $IPTABLES -A INPUT -p tcp --dport 80 -i eth0 -j ACCEPT          # http
    $IPTABLES -A INPUT -p tcp --dport 7777 -i eth0 -j ACCEPT        # APEX
    $IPTABLES -A INPUT -p tcp --dport 443 -i eth0 -j ACCEPT         # https

    # Allow ping
    $IPTABLES -A INPUT -p icmp -i eth0 -j ACCEPT

    # Allow all traffic on internal interfaces
    $IPTABLES -A INPUT -i lo -j ACCEPT

    # Stateful Packet Inspection to allow established connections through
    $IPTABLES -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

    # Log everything else (this goes to /var/log/messages and can generate a lot of gunk)
    # $IPTABLES -A INPUT -i eth0 -j LOG log-prefix "|iptables "
    }


    # ---------------------------------------------------------------------------------------------
    start()
    {
    echo -n "Starting $IPTABLES firewall"

    SetIPstack
    FlushFirewall
    DefaultPolicy
    ConfigInputChain

    echo_success
    }


    # ---------------------------------------------------------------------------------------------
    stop()
    {
    echo -n "Shutting down $IPTABLES firewall"

    FlushFirewall
    AllowAll

    echo_success
    }

    # ---------------------------------------------------------------------------------------------
    status()
    {
    $IPTABLES --list
    }



    # ---------------------------------------------------------------------------------------------
    # main()
    case "$1" in

    start)
    start
    ;;

    stop)
    stop
    ;;

    restart)
    start
    ;;

    status)
    status
    ;;

    *)
    echo $"Usage: $0 start"
    esac

    exit 0

    # eof
  • 24. Re: trigger for IP based restriction
    60660 Journeyer
    Currently Being Moderated
    As a sidenote: I found shorewall quite helpful for my firewall configuration tasks.

    C.
  • 25. Re: trigger for IP based restriction
    622513 Newbie
    Currently Being Moderated
    that may you did not restart you iptables service.
    service iptables start
1 2 Previous Next