Iptables, netfiltering? I need only...
Hi people, I installed up a linux SuSE 7.2 server with Oracle 9i and Apache/Tomcat. All works very nice. Now i have only a need, for security reasons: I have to administer this server remotely so i need this configuration: - port 80: open worldwide; - port 1521 (Oracle) open only for a C-class address, say x.y.z.*; - port 22 as above; I read various howto and faqs about netfilter and iptables but they talks about nat, ipforwarding, ipmasquerading... I think I need something much more simple.. a simple filter of incoming packets.. isn't it? Can someone be so nice to tell me what i exactly need, whether I have or not to recompile kernel and give me a scratch of a possible configuration?. I'm confused, help me! Thanks in advance for your time. -- Mario Libraro Web Applications Developer Fulltrading S.p.A. 00148 Roma - Via Di Affogalasino, 105 tel. +39 06 65 73 170 fax +39 06 65 73 529 mob. +39 347 5205 752 email: m.libraro@fulltrading.it m.libraro@tiresia.it web: www.fulltrading.it
If you don't have any clue about iptables I'd advise you to use susefirewall2, read the documentation in /etc/rc.config.d/firewall2.rc.config and adjust the values: Basically you only need to set your DEV_WORLD and DEV_INT (if you have an extra network card for internal class C network) and then allow 80 and 22 from EXTERNAL and 1521 from internal. If you have only one Network device, configure your class C as a trusted network and allow access from there to port 1521. Leave the rest as it is, maybe think about denying ping and traceroute. That should work as a starting point. But read all of susefirewall2.rc.config file, maybe I've forgotten some options (can't look right now, working at a windows maschine... Best regards, Ralf Ronneburger mario libraro wrote:
Hi people,
I installed up a linux SuSE 7.2 server with Oracle 9i and Apache/Tomcat. All works very nice. Now i have only a need, for security reasons: I have to administer this server remotely so i need this configuration:
- port 80: open worldwide; - port 1521 (Oracle) open only for a C-class address, say x.y.z.*; - port 22 as above;
I read various howto and faqs about netfilter and iptables but they talks about nat, ipforwarding, ipmasquerading... I think I need something much more simple.. a simple filter of incoming packets.. isn't it? Can someone be so nice to tell me what i exactly need, whether I have or not to recompile kernel and give me a scratch of a possible configuration?. I'm confused, help me! Thanks in advance for your time.
-- Mario Libraro Web Applications Developer
Fulltrading S.p.A. 00148 Roma - Via Di Affogalasino, 105 tel. +39 06 65 73 170 fax +39 06 65 73 529 mob. +39 347 5205 752 email: m.libraro@fulltrading.it m.libraro@tiresia.it web: www.fulltrading.it
participants (2)
-
mario libraro
-
Ralf Ronneburger