[英]protect mongodb ports with iptables
這是我的iptables配置:
sudo iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
859 103K ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
5 260 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
3 230 ACCEPT tcp -- any any anywhere anywhere tcp dpt:27017
4 208 ACCEPT tcp -- any any anywhere anywhere tcp dpt:28017
0 0 ACCEPT all -- any any localhost anywhere
0 0 ACCEPT all -- any any 111.111.111.111 anywhere
0 0 ACCEPT all -- any any 222.222.222.222 anywhere
64 3844 DROP all -- any any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 764 packets, 227K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any localhost anywhere
0 0 ACCEPT all -- any any 111.111.111.111 anywhere
0 0 ACCEPT all -- any any 222.222.222.222 anywhere
如果我在瀏覽器中寫入ip,如果我的mongodb服務器端口為28017,我可以看到一個promt輸入用戶名和密碼:
#ip mongodb server
000.000.000.000:28017
我希望除了這兩個ips以外的任何人都有接近mongodb的端口:
111.111.111.111
222.222.222.222
我該怎么做?
你能嘗試以下iptables規則嗎?
-A INPUT -m state --state NEW -p tcp --destination-port 27017 -s 111.111.111.111 -j ACCEPT
-A INPUT -m state --state NEW -p tcp --destination-port 27017 -s 222.222.222.222 -j ACCEPT
看起來你忘了放入源IP標志。
我刪除了我的iptables這兩行:
-A INPUT -p tcp -m tcp --dport 27017 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 28017 -j ACCEPT
現在無法從任何IP訪問mongdb端口。
謝謝
我用來限制對mongo的外部訪問的規則是:
$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- localhost anywhere tcp dpt:27017
ACCEPT tcp -- localhost anywhere tcp dpt:28017
ACCEPT tcp -- 111.111.111.111 anywhere tcp dpt:27017
ACCEPT tcp -- 222.222.222.222 anywhere tcp dpt:27017
ACCEPT tcp -- 111.111.111.111 anywhere tcp dpt:28017
ACCEPT tcp -- 222.222.222.222 anywhere tcp dpt:28017
DROP tcp -- anywhere anywhere tcp dpt:27017
DROP tcp -- anywhere anywhere tcp dpt:28017
您可以添加它們
sudo iptables -A INPUT -p tcp -m tcp --dport 27017 -s 127.0.0.1 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 28017 -s 127.0.0.1 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 27017 -s 111.111.111.111 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 27017 -s 222.222.222.222 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 28017 -s 111.111.111.111 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 28017 -s 222.222.222.222 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 27017 -j DROP
sudo iptables -A INPUT -p tcp -m tcp --dport 28017 -j DROP
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.