[英]protect mongodb ports with iptables
这是我的iptables配置:
sudo iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
859 103K ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
5 260 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
3 230 ACCEPT tcp -- any any anywhere anywhere tcp dpt:27017
4 208 ACCEPT tcp -- any any anywhere anywhere tcp dpt:28017
0 0 ACCEPT all -- any any localhost anywhere
0 0 ACCEPT all -- any any 111.111.111.111 anywhere
0 0 ACCEPT all -- any any 222.222.222.222 anywhere
64 3844 DROP all -- any any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 764 packets, 227K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any localhost anywhere
0 0 ACCEPT all -- any any 111.111.111.111 anywhere
0 0 ACCEPT all -- any any 222.222.222.222 anywhere
如果我在浏览器中写入ip,如果我的mongodb服务器端口为28017,我可以看到一个promt输入用户名和密码:
#ip mongodb server
000.000.000.000:28017
我希望除了这两个ips以外的任何人都有接近mongodb的端口:
111.111.111.111
222.222.222.222
我该怎么做?
你能尝试以下iptables规则吗?
-A INPUT -m state --state NEW -p tcp --destination-port 27017 -s 111.111.111.111 -j ACCEPT
-A INPUT -m state --state NEW -p tcp --destination-port 27017 -s 222.222.222.222 -j ACCEPT
看起来你忘了放入源IP标志。
我删除了我的iptables这两行:
-A INPUT -p tcp -m tcp --dport 27017 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 28017 -j ACCEPT
现在无法从任何IP访问mongdb端口。
谢谢
我用来限制对mongo的外部访问的规则是:
$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- localhost anywhere tcp dpt:27017
ACCEPT tcp -- localhost anywhere tcp dpt:28017
ACCEPT tcp -- 111.111.111.111 anywhere tcp dpt:27017
ACCEPT tcp -- 222.222.222.222 anywhere tcp dpt:27017
ACCEPT tcp -- 111.111.111.111 anywhere tcp dpt:28017
ACCEPT tcp -- 222.222.222.222 anywhere tcp dpt:28017
DROP tcp -- anywhere anywhere tcp dpt:27017
DROP tcp -- anywhere anywhere tcp dpt:28017
您可以添加它们
sudo iptables -A INPUT -p tcp -m tcp --dport 27017 -s 127.0.0.1 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 28017 -s 127.0.0.1 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 27017 -s 111.111.111.111 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 27017 -s 222.222.222.222 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 28017 -s 111.111.111.111 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 28017 -s 222.222.222.222 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 27017 -j DROP
sudo iptables -A INPUT -p tcp -m tcp --dport 28017 -j DROP
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.