Oracle通过防火墙（firewalld）配置访问控制

0.环境介绍

  Oracle数据库服务主机IP：10.0.0.70
  Oracle客户端IP：10.0.0.100
  操作系统发行版：CentOS 7.6

1.本地连接数据库，并创建用于远程连接的测试用户

[oracle@oracle4 ~]$ sqlplus / as sysdba
SYS@orcl> create user zb identified by "zb123";
SYS@orcl> grant connect,resource to zb;

2.安装Oracle客户端（SQL*Plus）

点击下载客户端工具,下载合适版本的zip包，如下所示：

instantclient-basic-linux.x64-19.17.0.0.0dbru.zip
instantclient-sqlplus-linux.x64-19.17.0.0.0dbru.zip

# 1.创建存放安装包的路径
[root@OG1 ~]# mkdir -p /opt/software
[root@OG1 ~]# cd /opt/software

# 2.将安装包上传到上述创建的目录中，并解压
[root@OG1 /opt/software]# ll | grep instantclient-
-rw-r--r-- 1 root root   74940977 Nov  4 10:35 instantclient-basic-linux.x64-19.17.0.0.0dbru.zip
-rw-r--r-- 1 root root     911671 Nov  4 11:29 instantclient-sqlplus-linux.x64-19.17.0.0.0dbru.zip
# 解压
[root@OG1 /opt/software]# unzip instantclient-basic-linux.x64-19.17.0.0.0dbru.zip
[root@OG1 /opt/software]# unzip instantclient-sqlplus-linux.x64-19.17.0.0.0dbru.zip

# 3.配置环境变量
[root@OG1 /opt/software]# cd 
[root@OG1 ~]# cat .bash_profile
export ORACLE_HOME=/opt/software/instantclient_19_17
export PATH=$ORACLE_HOME:$PATH
export LD_LIBRARY_PATH=$ORACLE_HOME:$LD_LIBRARY_PATH

[root@OG1 ~]# source .bash_profile

3.远程连接Oracle数据库

（1）方法一：关闭Oracle数据库服务端的防火墙

[root@oracle4 ~]# systemctl stop firewalld
# 查看验证
[root@oracle4 ~]# systemctl status firewalld

  关闭防火墙之后，你自然可以在客户机上远程连接Oracle数据库：

[root@OG1 ~]# sqlplus zb/zb123@10.0.0.70:1521/orcl
SQL*Plus: Release 19.0.0.0.0 - Production on Fri Nov 4 11:55:12 2022
Version 19.17.0.0.0
Copyright (c) 1982, 2022, Oracle.  All rights reserved.
Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.3.0.0.0

SQL> 

（2）方法二：开启防火墙，需要配置防火墙策略

1.开启防火墙
[root@oracle4 ~]# systemctl start firewalld

2.不配置防火墙策略，尝试远程连接，报错
[root@OG1 ~]# sqlplus zb/zb123@10.0.0.70:1521/orcl
SQL*Plus: Release 19.0.0.0.0 - Production on Fri Nov 4 12:00:05 2022
Version 19.17.0.0.0
Copyright (c) 1982, 2022, Oracle.  All rights reserved.
ERROR:
ORA-12543: TNS:destination host unreachable

3.配置防火墙策略
#永久开放端口1521/tcp
[root@oracle4 ~]# firewall-cmd --permanent --add-port=1521/tcp 
success

# 重新加载防火墙服务
[root@oracle4 ~]# firewall-cmd --reload
success

# 查看防火墙开放的端口号 
[root@oracle4 ~]# firewall-cmd --permanent --list-ports 
1521/tcp


4.尝试远程连接，成功：
[root@OG1 ~]# sqlplus zb/zb123@10.0.0.70:1521/orcl
SQL*Plus: Release 19.0.0.0.0 - Production on Fri Nov 4 12:20:16 2022
Version 19.17.0.0.0
Copyright (c) 1982, 2022, Oracle.  All rights reserved.
Last Successful login time: Fri Nov 04 2022 11:55:13 +08:00
Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
SQL>

# 这样防火墙配置策略还是较为宽松，我们可以加强限制访问，如下：

5.配置指定ip访问主机的指定端口号
[root@oracle4 ~]# firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='10.0.0.100' port protocol='tcp' port='1521' accept"
success

## 配置对某个网段的IP开放指定范围的端口访问
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.2.0/24' port port='9500-9505' protocol='tcp' accept"

# 重新加载防火墙服务
[root@oracle4 ~]# firewall-cmd --reload
success
# 或
systemctl restart firewalld

# 查看刚刚设置的规则
[root@oracle4 ~]# firewall-cmd --list-rich-rule
rule family="ipv4" source address="10.0.0.100" port port="1521" protocol="tcp" accept
rule family="ipv4" source address="192.168.2.0/24" port port="9500-9505" protocol="tcp" accept