重庆思庄Oracle、Redhat认证学习论坛
标题: rhel7.4上通过开启防火墙的方式访问oracle em [打印本页]
作者: 郑全 时间: 2017-8-21 19:43
标题: rhel7.4上通过开启防火墙的方式访问oracle em
本帖最后由 郑全 于 2017-8-21 19:45 编辑
今天由于实际需求,准备在rhel 7.4上安装 oracle 10.2.0.1,安装好后,远程windows上无法访问 oracle企业管理器-em.
具体如下:
ie访问不了em
http://192.168.0.152:1158/em
无法访问网址
本地也不行。
还以为是不支持oel7.
本机测试sqlplus连接
SQL> conn system/oracle@192.168.0.152:1521/sztech1
ERROR:
ORA-12170: TNS: 连接超时
看来直接无法联通:
想起了,oel7以上版本,默认是开启了防火墙
[root@dbserver ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
FORWARD_direct all -- anywhere anywhere
FORWARD_IN_ZONES_SOURCE all -- anywhere anywhere
FORWARD_IN_ZONES all -- anywhere anywhere
FORWARD_OUT_ZONES_SOURCE all -- anywhere anywhere
FORWARD_OUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:bootpc
OUTPUT_direct all -- anywhere anywhere
Chain FORWARD_IN_ZONES (1 references)
target prot opt source destination
FWDI_public all -- anywhere anywhere [goto]
FWDI_public all -- anywhere anywhere [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_OUT_ZONES (1 references)
target prot opt source destination
FWDO_public all -- anywhere anywhere [goto]
FWDO_public all -- anywhere anywhere [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_direct (1 references)
target prot opt source destination
Chain FWDI_public (2 references)
target prot opt source destination
FWDI_public_log all -- anywhere anywhere
FWDI_public_deny all -- anywhere anywhere
FWDI_public_allow all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain FWDI_public_allow (1 references)
target prot opt source destination
Chain FWDI_public_deny (1 references)
target prot opt source destination
Chain FWDI_public_log (1 references)
target prot opt source destination
Chain FWDO_public (2 references)
target prot opt source destination
FWDO_public_log all -- anywhere anywhere
FWDO_public_deny all -- anywhere anywhere
FWDO_public_allow all -- anywhere anywhere
Chain FWDO_public_allow (1 references)
target prot opt source destination
Chain FWDO_public_deny (1 references)
target prot opt source destination
Chain FWDO_public_log (1 references)
target prot opt source destination
Chain INPUT_ZONES (1 references)
target prot opt source destination
IN_public all -- anywhere anywhere [goto]
IN_public all -- anywhere anywhere [goto]
Chain INPUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain INPUT_direct (1 references)
target prot opt source destination
Chain IN_public (2 references)
target prot opt source destination
IN_public_log all -- anywhere anywhere
IN_public_deny all -- anywhere anywhere
IN_public_allow all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain IN_public_allow (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:ncube-lm ctstate NEW
ACCEPT udp -- anywhere anywhere udp dpt:ncube-lm ctstate NEW
ACCEPT udp -- anywhere anywhere udp dpt:dbcontrol-oms ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:dbcontrol-oms ctstate NEW
Chain IN_public_deny (1 references)
target prot opt source destination
Chain IN_public_log (1 references)
target prot opt source destination
Chain OUTPUT_direct (1 references)
target prot opt source destination
[root@dbserver ~]#
这个不好看哟,头都大了,
想起来了,上周张sir才讲了 firewalld 防火墙,要不试一下,
[root@dbserver ~]# systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2017-08-21 19:12:55 CST; 1s ago
Docs: man:firewalld(1)
Main PID: 16079 (firewalld)
CGroup: /system.slice/firewalld.service
└─16079 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
Aug 21 19:12:56 dbserver firewalld[16079]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete FORWARD --destination 192.168.12...t chain?).
Aug 21 19:12:56 dbserver firewalld[16079]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete FORWARD --source 192.168.122.0/2...t chain?).
Aug 21 19:12:56 dbserver firewalld[16079]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete FORWARD --in-interface virbr0 --...t chain?).
Aug 21 19:12:56 dbserver firewalld[16079]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete FORWARD --out-interface virbr0 -...that name.
Aug 21 19:12:56 dbserver firewalld[16079]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete FORWARD --in-interface virbr0 --...that name.
Aug 21 19:12:56 dbserver firewalld[16079]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete INPUT --in-interface virbr0 --pr...t chain?).
Aug 21 19:12:56 dbserver firewalld[16079]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete INPUT --in-interface virbr0 --pr...t chain?).
Aug 21 19:12:56 dbserver firewalld[16079]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete OUTPUT --out-interface virbr0 --...t chain?).
Aug 21 19:12:56 dbserver firewalld[16079]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete INPUT --in-interface virbr0 --pr...t chain?).
Aug 21 19:12:56 dbserver firewalld[16079]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -w --table filter --delete INPUT --in-interface virbr0 --pr...t chain?).
Hint: Some lines were ellipsized, use -l to show in full.
[root@dbserver ~]#
简单的办法,就是关闭防火墙:
systemctl stop firewalld.service
但这样做,有违张老师的苦口婆心,何不用firewalld把端口加起去,还可以起到安全的作用.谁说linux下就没有勒索病毒呢
说干就干:
[root@dbserver ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
以上没有1521端口,增加1521端口
数据库的端口不就是1521吗
[root@dbserver ~]# firewall-cmd --permanent --add-port=1521/tcp
success
[root@dbserver ~]# firewall-cmd --permanent --add-port=1521/udp
别忘了重载生效:
[root@dbserver ~]# firewall-cmd --reload
success
[root@dbserver ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: ssh dhcpv6-client
ports: 1521/tcp 1521/udp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
我们看到已经增加了1521端口
再次测试sqlpus 的连接:
SQL> conn system/oracle@192.168.0.152:1521/sztech1
已连接。
SQL>
成功
看来有效果,继续
再测试em,还是不能访问:
忘了 em的端口是1158
增加1158,实际过程中,端口有变哈,没有关系,变了,来这里加进去即可:
[root@dbserver ~]# firewall-cmd --permanent --add-port=1158/udp
success
[root@dbserver ~]# firewall-cmd --permanent --add-port=1158/tcp
success
[root@dbserver ~]# firewall-cmd --reload
success
[root@dbserver ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: ssh dhcpv6-client
ports: 1521/tcp 1521/udp 1158/udp 1158/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
再去访问em,终于em可以了