2

I have a VM (Ubuntu 12.04.4 LTS) with mongodb (2.0.4) that I want to restrict with iptables to only accepting SSH (in/out) and nothing else. This is how my setup script looks like to setup the rules:

#!/bin/sh # DROP everything iptables -F iptables -X iptables -P FORWARD DROP iptables -P INPUT DROP iptables -P OUTPUT DROP # input iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -s 127.0.0.1 -j ACCEPT # accept all ports for local conns # output iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT # ssh

But with these rules activated, I can't connect to mongodb locally.

ubuntu ~ $ mongo MongoDB shell version: 2.0.4 connecting to: test Fri Mar 28 09:40:40 Error: couldn't connect to server 127.0.0.1 shell/mongo.js:84 exception: connect failed

Without them, it works fine. Is there any special firewall case one needs to consider when deploying mongodb?

I tried installing mysql, and it works perfectly for local connections. SSH works as exepected (can connect from outside and inside).

The iptables rules looks like this once set:

ubuntu ~ $ sudo iptables -nvL Chain INPUT (policy DROP 8 packets, 1015 bytes) pkts bytes target prot opt in out source destination 449 108K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 32 2048 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy DROP 27 packets, 6712 bytes) pkts bytes target prot opt in out source destination 379 175K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22

I did notice that if I add an OUTPUT rule for mongodb port 27017 (tcp, all destinations allowed) it works. So I guess it has something to do with output? But why would mongodb not allow accept a local connection due to outgoing traffic from the host ?!

Improve this question
1
  • Replies from Mongo can't reach you, add an OUTPUT rule that allows local outbound traffic to 127.0.0.1 Commented Apr 1, 2014 at 15:02

1 Answer 1

Reset to default
2

A connection consists of a source IP:Port and a destination IP:Port. Packets from the source IP:Port have to traverse the OUTPUT chain. This happens even when you are connecting to the loopback interface so as you have discovered you need to allow outgoing connections to 127.0.0.1.

It is normal not to block the loopback interface as many services use it and doing so can cause problems.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.