使用iptables保护mongodb端口

Question

这是我的iptables配置：

sudo iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere            
  859  103K ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
    5   260 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh
    3   230 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:27017
    4   208 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:28017
    0     0 ACCEPT     all  --  any    any     localhost            anywhere            
    0     0 ACCEPT     all  --  any    any     111.111.111.111      anywhere            
    0     0 ACCEPT     all  --  any    any     222.222.222.222      anywhere            
   64  3844 DROP       all  --  any    any     anywhere             anywhere            

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 764 packets, 227K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  any    any     localhost            anywhere            
    0     0 ACCEPT     all  --  any    any     111.111.111.111      anywhere            
    0     0 ACCEPT     all  --  any    any     222.222.222.222      anywhere

如果我在浏览器中写入ip，如果我的mongodb服务器端口为28017，我可以看到一个promt输入用户名和密码：

#ip mongodb server
000.000.000.000:28017

我希望除了这两个ips以外的任何人都有接近mongodb的端口：

111.111.111.111
222.222.222.222

我该怎么做？

Answer 1

你能尝试以下iptables规则吗？

-A INPUT -m state --state NEW -p tcp --destination-port 27017 -s 111.111.111.111 -j ACCEPT
-A INPUT -m state --state NEW -p tcp --destination-port 27017 -s 222.222.222.222 -j ACCEPT

看起来你忘了放入源IP标志。

Answer 2

我删除了我的iptables这两行：

-A INPUT -p tcp -m tcp --dport 27017 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 28017 -j ACCEPT

现在无法从任何IP访问mongdb端口。

谢谢

Answer 3

我用来限制对mongo的外部访问的规则是：

$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  localhost            anywhere             tcp dpt:27017
ACCEPT     tcp  --  localhost            anywhere             tcp dpt:28017
ACCEPT     tcp  --  111.111.111.111      anywhere             tcp dpt:27017
ACCEPT     tcp  --  222.222.222.222      anywhere             tcp dpt:27017
ACCEPT     tcp  --  111.111.111.111      anywhere             tcp dpt:28017
ACCEPT     tcp  --  222.222.222.222      anywhere             tcp dpt:28017
DROP       tcp  --  anywhere             anywhere             tcp dpt:27017
DROP       tcp  --  anywhere             anywhere             tcp dpt:28017

您可以添加它们

sudo iptables -A INPUT -p tcp -m tcp --dport 27017 -s 127.0.0.1 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 28017 -s 127.0.0.1 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 27017 -s 111.111.111.111 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 27017 -s 222.222.222.222 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 28017 -s 111.111.111.111 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 28017 -s 222.222.222.222 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 27017 -j DROP
sudo iptables -A INPUT -p tcp -m tcp --dport 28017 -j DROP