stackoom
  简体   繁体   中英

iptables rules for jupyter notebook

 原文  2019-09-16 07:38:02       python/ jupyter-notebook/ jupyter/ firewall/ iptables

Question

having trouble with the iptables setting for jupyter notebook. with the following rules (assume notebook port 8888), jupyter notebook server would be launched successfully, but the actual notebook kernel would fail to start/establish.

by commenting out the last iptables rule "-A OUTPUT -j DROP", everything works fine.

any thoughts?

-A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 8888 -j ACCEPT
-A INPUT -p tcp -m state --state ESTABLISHED --sport 8888 -j ACCEPT
-A OUTPUT -p tcp -m state --state ESTABLISHED --sport 8888 -j ACCEPT 
-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 8888 -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -j DROP

2 answers

solution1
 1 ACCPTED  2019-09-16 07:57:58

Often tools like jupyter use the loopback device (localhost) to access certain features. For example, jupyter has a frontend that communicates over HTTP with the notebook server, which sends messages via sockets to the IPython Kernel (see: https://jupyter.readthedocs.io/en/latest/architecture/how_jupyter_ipython_work.html ).

I would add the following rules:

sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT

These rules allow input and output to and from the loopback device (localhost).

solution2
 0  2021-02-25 11:16:51

The above answer is the right fix however the documentation pointed to is broken, the current documentation about Jupyter client's communication with IPython kernel is updated here: https://jupyter-client.readthedocs.io/en/latest/messaging.html

Additionally this is the correct order of adding iptable rules for anyone struggling with this:

iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 8888 -j ACCEPT
iptables -A INPUT -p tcp -m state --state ESTABLISHED --sport 8888 -j ACCEPT
iptables -A OUTPUT -p tcp -m state --state ESTABLISHED --sport 8888 -j ACCEPT
iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 8888 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP

iptable rules exist as chains. Incoming, Outgoing, and Pass-through packets are examined one rule at a time in the corresponding chain, and are handled based on the first rule that's matched. With the above ordering, packets with loopback address are allowed to go through freely, but all other traffic is blocked. This blocks pip installs, apt-updates, telnet, netcat etc.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Using Orange 3 association rules in Python (Jupyter notebook) jupyter: 'notebook' is not a Jupyter command Jupyter: "notebook" is not a jupyter command How to write specific iptables rules using python-iptables How to import jupyter notebook to another jupyter notebook? My jupyter notebook is notebook is not working No output - Jupyter Notebook Jupyter notebook output redirection Quandl on Jupyter Notebook: LimitExceededError notebook not installed with anaconda/jupyter
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM