Monday, January 09, 2012

Securing Oracle Database server using IPTables in Linux

Linux can help administrators create a strong firewall with the powerful, kernel-based netfilter/iptables software. As demonstrated below, iptables can create general or specific packet filters to allow or deny traffic. This enables administrators to protect their servers from a wide variety of hazards, including service attacks and hack attempts. As always, the best way to learn is to get your hands dirty and experiment with iptables on a testing machine.

This article is an example of how you cam secure a Oracle Database server using IPTables in Linux.

Edit the iptables file from the /etc/sysconfig directory:

[root]# vi /etc/sysconfig/iptables

#Nagios Server for real time alerts : 192.168.0.99
#Zabbix Server for historic perf. data : 192.168.0.98
#Trusted VLAN for SSH and SFTP traffic : 192.168.4.0
#Trusted IP's from untrusted VLAN : 192.168.16.xx

# Rule to enable PING from selected IP's
-A INPUT -p tcp -s 192.168.0.99 -j ACCEPT
-A INPUT -p tcp -s 192.168.0.98 -j ACCEPT

# Rule to enable monitoring from selected IP's
-A INPUT -m state --state NEW -m tcp -s 192.168.0.99 -p tcp --dport 5666 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -s 192.168.0.98 -p tcp --dport 10050 -j ACCEPT

# Rule to enable SSH / SFTP from Trusted VLAN
-A INPUT -m state --state NEW -m tcp -s 192.168.4.0/24 -p tcp --dport 20 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -s 192.168.4.0/24 -p tcp --dport 21 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -s 192.168.4.0/24 -p tcp --dport 22 -j ACCEPT

# Rule to enable Oracle port for IP’s of Application VM’s
-A INPUT -m state --state NEW -m tcp -s 192.168.16.20 -p tcp --dport 1521 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -s 192.168.16.21 -p tcp --dport 1521 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -s 192.168.16.22 -p tcp --dport 1521 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -s 192.168.16.23 -p tcp --dport 1521 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -s 192.168.16.24 -p tcp --dport 1521 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -s 192.168.16.25 -p tcp --dport 1521 -j ACCEPT

# Catch All Rule
-A INPUT -m state --state NEW -m tcp -p tcp -j DROP

Restart the iptables service

[root]# service iptables restart

And you are good to go !

Cheers !
Harish.
Posted by at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)