2014-03-16 Configure Firewall Rules

Overview

I was unable to connect to the OMS console due to firewall settings on CRONULLA.

References

• Oracle® Linux Installation Guide for Release 6
  • Chapter 4 Post-installation Configuration
    • 4.7 Configuring the System Firewall
• Oracle® Enterprise Manager Cloud Control Advanced Installation and Configuration Guide 12c Release 3 (12.1.0.3)
  • 11 Configuring Enterprise Manager for Firewalls

Procedure

First Attempt

Based on 4.7 Configuring the System Firewall and 11 Configuring Enterprise Manager for Firewalls, I issued the following command to update the firewall:

iptables --insert INPUT 5 --proto tcp --match state --state NEW --match tcp -–dport 3872 --jump ACCEPT

And I got the following error messages:

iptables v1.4.7: option `-m' requires an argument Try `iptables -h' or 'iptables --help' for more information.

Current Settings

Following the examples blindly from the manual did not get me anywhere, so I had to find out the real way to do things.

From the online help (via iptables --help, I discover the following command:

iptables --list-rules INPUT

The result is:

-P INPUT ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED --jump ACCEPT -A INPUT -p icmp --jump ACCEPT -A INPUT -i lo --jump ACCEPT -A INPUT -p tcp -m state --state NEW --match tcp --dport 22 --jump ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited

The rule numbering is based on the -A lines (or append to chain).

Add a Simple Rule

I want to insert a rule before the catch-all rejection at rule #5. I tried the following commands:

iptables --insert INPUT 5 --proto tcp --match state --state NEW --match tcp --dport 3872 --jump ACCEPT

The addition of the source address seemed to be causing problems, so I left it out. The absence of the source address does not concern me as I have a private network behind an internet firewall.

I listed the rules again for the INPUT chain:

-P INPUT ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED --jump ACCEPT -A INPUT -p icmp --jump ACCEPT -A INPUT -i lo --jump ACCEPT -A INPUT -p tcp -m state --state NEW --match tcp --dport 22 --jump ACCEPT -A INPUT -p tcp -m state --state NEW --match tcp --dport 3872 --jump ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited

Add the Other Rules

To complete the rules needed to satisfy 11 Configuring Enterprise Manager for Firewalls, I added the following, based on the ports configured in 07 Complete OMS 12.1.0.3.1 Installation:

iptables --insert INPUT 6 --proto tcp --match state --state NEW --match tcp --dport 4889 --jump ACCEPT iptables --insert INPUT 7 --proto tcp --match state --state NEW --match tcp --dport 4903 --jump ACCEPT iptables --insert INPUT 8 --proto tcp --match state --state NEW --match tcp --dport 7102 --jump ACCEPT iptables --insert INPUT 9 --proto tcp --match state --state NEW --match tcp --dport 7202 --jump ACCEPT iptables --insert INPUT 10 --proto tcp --match state --state NEW --match tcp --dport 7301 --jump ACCEPT iptables --insert INPUT 11 --proto tcp --match state --state NEW --match tcp --dport 7403 --jump ACCEPT iptables --insert INPUT 12 --proto tcp --match state --state NEW --match tcp --dport 7788 --jump ACCEPT iptables --insert INPUT 13 --proto tcp --match state --state NEW --match tcp --dport 7802 --jump ACCEPT iptables --insert INPUT 14 --proto udp --match udp --dport 3872 --jump ACCEPT iptables --insert INPUT 15 --proto udp --match udp --dport 4889 --jump ACCEPT iptables --insert INPUT 16 --proto udp --match udp --dport 4903 --jump ACCEPT iptables --insert INPUT 17 --proto udp --match udp --dport 7102 --jump ACCEPT iptables --insert INPUT 18 --proto udp --match udp --dport 7202 --jump ACCEPT iptables --insert INPUT 19 --proto udp --match udp --dport 7301 --jump ACCEPT iptables --insert INPUT 20 --proto udp --match udp --dport 7403 --jump ACCEPT iptables --insert INPUT 21 --proto udp --match udp --dport 7788 --jump ACCEPT iptables --insert INPUT 22 --proto udp --match udp --dport 7802 --jump ACCEPT

Checking the results:

[root@cronulla ~]# iptables --list-rules INPUT -P INPUT ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 3872 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 4889 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 4903 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 7102 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 7202 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 7301 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 7403 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 7788 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 7802 -j ACCEPT -A INPUT -p udp -m udp --dport 3872 -j ACCEPT -A INPUT -p udp -m udp --dport 4889 -j ACCEPT -A INPUT -p udp -m udp --dport 4903 -j ACCEPT -A INPUT -p udp -m udp --dport 7102 -j ACCEPT -A INPUT -p udp -m udp --dport 7202 -j ACCEPT -A INPUT -p udp -m udp --dport 7301 -j ACCEPT -A INPUT -p udp -m udp --dport 7403 -j ACCEPT -A INPUT -p udp -m udp --dport 7788 -j ACCEPT -A INPUT -p udp -m udp --dport 7802 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited

Save the Firewall Rules

I used the following command to update the firewall:

service iptables save

Success!

I am now able to access the OEM Console from RYDE.