使用iptables保護mongodb端口

Question

這是我的iptables配置：

sudo iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere            
  859  103K ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
    5   260 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh
    3   230 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:27017
    4   208 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:28017
    0     0 ACCEPT     all  --  any    any     localhost            anywhere            
    0     0 ACCEPT     all  --  any    any     111.111.111.111      anywhere            
    0     0 ACCEPT     all  --  any    any     222.222.222.222      anywhere            
   64  3844 DROP       all  --  any    any     anywhere             anywhere            

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 764 packets, 227K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  any    any     localhost            anywhere            
    0     0 ACCEPT     all  --  any    any     111.111.111.111      anywhere            
    0     0 ACCEPT     all  --  any    any     222.222.222.222      anywhere

如果我在瀏覽器中寫入ip，如果我的mongodb服務器端口為28017，我可以看到一個promt輸入用戶名和密碼：

#ip mongodb server
000.000.000.000:28017

我希望除了這兩個ips以外的任何人都有接近mongodb的端口：

111.111.111.111
222.222.222.222

我該怎么做？

Answer 1

你能嘗試以下iptables規則嗎？

-A INPUT -m state --state NEW -p tcp --destination-port 27017 -s 111.111.111.111 -j ACCEPT
-A INPUT -m state --state NEW -p tcp --destination-port 27017 -s 222.222.222.222 -j ACCEPT

看起來你忘了放入源IP標志。

Answer 2

我刪除了我的iptables這兩行：

-A INPUT -p tcp -m tcp --dport 27017 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 28017 -j ACCEPT

現在無法從任何IP訪問mongdb端口。

謝謝

Answer 3

我用來限制對mongo的外部訪問的規則是：

$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  localhost            anywhere             tcp dpt:27017
ACCEPT     tcp  --  localhost            anywhere             tcp dpt:28017
ACCEPT     tcp  --  111.111.111.111      anywhere             tcp dpt:27017
ACCEPT     tcp  --  222.222.222.222      anywhere             tcp dpt:27017
ACCEPT     tcp  --  111.111.111.111      anywhere             tcp dpt:28017
ACCEPT     tcp  --  222.222.222.222      anywhere             tcp dpt:28017
DROP       tcp  --  anywhere             anywhere             tcp dpt:27017
DROP       tcp  --  anywhere             anywhere             tcp dpt:28017

您可以添加它們

sudo iptables -A INPUT -p tcp -m tcp --dport 27017 -s 127.0.0.1 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 28017 -s 127.0.0.1 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 27017 -s 111.111.111.111 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 27017 -s 222.222.222.222 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 28017 -s 111.111.111.111 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 28017 -s 222.222.222.222 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 27017 -j DROP
sudo iptables -A INPUT -p tcp -m tcp --dport 28017 -j DROP