protect mongodb ports with iptables

Question

This is my iptables config:

sudo iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere            
  859  103K ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
    5   260 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh
    3   230 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:27017
    4   208 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:28017
    0     0 ACCEPT     all  --  any    any     localhost            anywhere            
    0     0 ACCEPT     all  --  any    any     111.111.111.111      anywhere            
    0     0 ACCEPT     all  --  any    any     222.222.222.222      anywhere            
   64  3844 DROP       all  --  any    any     anywhere             anywhere            

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 764 packets, 227K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  any    any     localhost            anywhere            
    0     0 ACCEPT     all  --  any    any     111.111.111.111      anywhere            
    0     0 ACCEPT     all  --  any    any     222.222.222.222      anywhere

If I write in browser the ip if my mongodb server with port 28017, I can see a promt to enter username and password:

#ip mongodb server
000.000.000.000:28017

I want close mongodb ports to anyone except to these 2 ips:

111.111.111.111
222.222.222.222

How can I do it?

Answer 1

Can you try the following iptables rules

-A INPUT -m state --state NEW -p tcp --destination-port 27017 -s 111.111.111.111 -j ACCEPT
-A INPUT -m state --state NEW -p tcp --destination-port 27017 -s 222.222.222.222 -j ACCEPT

Looks like you forgot to put in the source IP flag.

Answer 2

I have removed of my iptables these two line:

-A INPUT -p tcp -m tcp --dport 27017 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 28017 -j ACCEPT

and now it's not possible access to mongdb ports from any ip.

Thanks

Answer 3

The rules I use for limiting external access to mongo are:

$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  localhost            anywhere             tcp dpt:27017
ACCEPT     tcp  --  localhost            anywhere             tcp dpt:28017
ACCEPT     tcp  --  111.111.111.111      anywhere             tcp dpt:27017
ACCEPT     tcp  --  222.222.222.222      anywhere             tcp dpt:27017
ACCEPT     tcp  --  111.111.111.111      anywhere             tcp dpt:28017
ACCEPT     tcp  --  222.222.222.222      anywhere             tcp dpt:28017
DROP       tcp  --  anywhere             anywhere             tcp dpt:27017
DROP       tcp  --  anywhere             anywhere             tcp dpt:28017

You can add them with

sudo iptables -A INPUT -p tcp -m tcp --dport 27017 -s 127.0.0.1 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 28017 -s 127.0.0.1 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 27017 -s 111.111.111.111 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 27017 -s 222.222.222.222 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 28017 -s 111.111.111.111 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 28017 -s 222.222.222.222 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 27017 -j DROP
sudo iptables -A INPUT -p tcp -m tcp --dport 28017 -j DROP