LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-05-2009, 01:31 AM   #1
saifkhan123
Member
 
Registered: Apr 2009
Distribution: Red Hat/CentOS
Posts: 108

Rep: Reputation: 19
iptables configuration with 3 NIC


Hi all, i am very new to this iptables thing.

I have an oracle rac server running on RHEL 5.2 having 3 NICs(eth0,eth1,eth2), and i have to configure iptables on that.

Actually it is a cluster having 2 machines and both are identical in every sense, the eth0 of both are connected via cross-cable, so i want no other traffic on eth0, the other 2 interfaces are for access from LAN and no internet connectivity is allowed to this server. The only port to be allowed for incoming connection is tcp port 1521, which is used by Oracle listener.

I want some specific LAN IP-Addresses to be bound on both the Interfaces (eth1,eth2), lets say IP Addresses like 10.10.2.12 should be allowed only on eth1 and port tcp 1521 and all other should be dropped on this interface, IP Addresses like 172.16.100.11 should be allowed only on eth2.

Remember that eth0 interfaces of both machines have IP Address 192.168.11.10 and 192.168.11.11 respectively and they are connected directly with a cross cable.

I have tried making some simple configurations like
Code:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2:243]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.11.10 -i eth0 -p tcp -m tcp --dport 1:65000 -m state --state NEW -j ACCEPT
-A INPUT -s 10.10.2.12 -i eth1 -p tcp -m tcp --dport 1521 -m state --state NEW -j ACCEPT
-A INPUT -s 172.16.100.11 -i eth2 -p tcp -m tcp --dport 1521 -m state --state NEW -j
ACCEPT
-A INPUT -j DROP
COMMIT
But its not working, kindly suggest

Last edited by saifkhan123; 10-05-2009 at 01:32 AM.
 
Old 10-05-2009, 02:23 AM   #2
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,790

Rep: Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653
Hi,

You will need to start out by determining all the traffic that Oracle RAC requires, including between nodes. You will also need to determine the roles for each interface, eg. cluster heartbeat, management, public data. Once you have all this info then the rules will be easier to create, here is a base config I usually start with:

Code:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
Just remember that the rules are processed top to bottom so the ordering is important.

HTH
 
Old 10-05-2009, 03:45 AM   #3
saifkhan123
Member
 
Registered: Apr 2009
Distribution: Red Hat/CentOS
Posts: 108

Original Poster
Rep: Reputation: 19
@kbp

cluster heartbeat(CS4/RAC) on eth1, AppTier Network is set on eth2, i think these 2 things are enough for setting up iptables, the main port which the applications/users will use is 1521.

Can u be more specific about the rules?
 
Old 10-05-2009, 07:16 AM   #4
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,790

Rep: Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653
Based on your information, maybe something like this ?:

Code:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
-A INPUT -s 10.10.2.12 -i eth1 -m state --state NEW -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 1521 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
The above rules (untested) roughly translate to:

Allow inbound ssh connections on the mgmt interface (eth0)
Allow unrestricted access from the other node on eth1 (10.10.2.12)
Allow inbound connections to Oracle on any interface (port 1521)

Please ensure that RAC is fully functioning before you start locking it down, if you aren't sure of the required ports try running tcpdump for a while or reading the Oracle RAC/Clusterware doco

cheers,

kbp
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables configuration using multiple NIC karen.pertierra Linux - General 2 02-21-2007 02:09 AM
NIC Configuration venky_2_2000 Linux - Networking 1 08-22-2005 10:22 PM
NIC configuration eddy98 Slackware 8 04-24-2005 10:15 AM
NIC configuration tran_colin Linux - Networking 3 12-21-2004 06:38 AM
NIC Configuration firestorm2123 Slackware 6 04-21-2003 07:54 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:06 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration