如果要灵活的实现限制IP访问ORACLE数据库,最好使用登陆触发器的方式来实现。
下面的方式对于限制单个IP地址访问ORACLE数据库比较方便,但是对于实现一个网段的IP访问数据库就有点繁琐了,
因为这种方法需要把IP地址一个一个的列出来。
通过在SQLNET.ORA中增加如下的语句即可实现IP的限制:
tcp.validnode_checking = yes //开启IP限制
tcp.invited_nodes=() //允许访问的IP列表,各IP之间用逗号分隔
tcp.excluded_nodes=() //限制访问的IP列表,各个IP之间用逗号分隔
本次测试的环境说明如下:
数据库服务器在我WINDOWS PC机器上,IP地址为10.223.18.116,监听端口为1521,实例名为yansp。
远程有2台AIX服务器10.192.39.72,10.192.39.76用作测试客户端。
看下面一个简单例子:
正常情况下10.192.39.72是可以正常访问数据库的,如下:
[oracle@sxffdb1 ~]$ export PS1="10.192.39.72 > "
10.192.39.72 > sqlplus yansp/yansp@10.223.18.116/yansp
SQL*Plus: Release 10.2.0.4.0 - Production on Wed Jan 11 10:18:03 2012
Copyright (c) 1982, 2007, Oracle. All Rights Reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the Partitioning, OLAP and Data Mining options
SQL> select sysdate from dual;
SYSDATE
-------------------
2012-01-11 10:19:08
SQL>
修改sqlnet.ora 增加如下2行
tcp.validnode_checking = yes
tcp.excluded_nodes=(10.192.39.72,10.192.39.72)
C:\u01\oracle\product\10.2.0\db_1\NETWORK\ADMIN>type sqlnet.ora
# This file is actually generated by netca. But if customers choose to
# install "Software Only", this file wont exist and without the native
# authentication, they will not be able to connect to the database on NT.
SQLNET.AUTHENTICATION_SERVICES = (NTS)
NAMES.DIRECTORY_PATH=(TNSNAMES,EZCONNECT)
SQLNET.EXPIRE_TIME=1
tcp.validnode_checking = yes
tcp.excluded_nodes=(10.192.39.72)
C:\u01\oracle\product\10.2.0\db_1\NETWORK\ADMIN>
重启启动监听器:
C:\u01\oracle\product\10.2.0\db_1\NETWORK\ADMIN>lsnrctl stop
LSNRCTL for 32-bit Windows: Version 10.2.0.1.0 - Production on 11-1月 -2012 10:2
4:36
Copyright (c) 1991, 2005, Oracle. All rights reserved.
正在连接到 (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=10.223.18.116)(PORT=1521)(I
P=FIRST)))
命令执行成功
C:\u01\oracle\product\10.2.0\db_1\NETWORK\ADMIN>lsnrctl start
LSNRCTL for 32-bit Windows: Version 10.2.0.1.0 - Production on 11-1月 -2012 10:2
4:40
Copyright (c) 1991, 2005, Oracle. All rights reserved.
启动tnslsnr: 请稍候…
TNSLSNR for 32-bit Windows: Version 10.2.0.1.0 - Production
系统参数文件为C:\u01\oracle\product\10.2.0\db_1\network\admin\listener.ora
写入C:\u01\oracle\product\10.2.0\db_1\network\log\listener.log的日志信息
监听: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=10.223.18.116)(PORT=1521)))
正在连接到 (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=10.223.18.116)(PORT=1521)(I
P=FIRST)))
|