I have a VM (Ubuntu 12.04.4 LTS) with mongodb (2.0.4) that I want to restrict with iptables to only accepting SSH (in/out) and nothing else. This is how my setup script looks like to setup the rules:
#!/bin/sh
# DROP everything
iptables -F
iptables -X
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
# input
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -j ACCEPT # accept all ports for local conns
# output
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT # ssh
But with these rules activated, I can't connect to mongodb locally.
ubuntu ~ $ mongo
MongoDB shell version: 2.0.4
connecting to: test
Fri Mar 28 09:40:40 Error: couldn't connect to server 127.0.0.1 shell/mongo.js:84
exception: connect failed
Without them, it works fine. Is there any special firewall case one needs to consider when deploying mongodb?
I tried installing mysql, and it works perfectly for local connections. SSH works as exepected (can connect from outside and inside).
The iptables rules looks like this once set:
ubuntu ~ $ sudo iptables -nvL
Chain INPUT (policy DROP 8 packets, 1015 bytes)
pkts bytes target prot opt in out source destination
449 108K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
32 2048 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 27 packets, 6712 bytes)
pkts bytes target prot opt in out source destination
379 175K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
I did notice that if I add an OUTPUT rule for mongodb port 27017 (tcp, all destinations allowed) it works.
So I guess it has something to do with output? But why would mongodb not allow accept a local connection due to outgoing traffic from the host ?!
Best Answer
A connection consists of a source IP:Port and a destination IP:Port. Packets from the source IP:Port have to traverse the OUTPUT chain. This happens even when you are connecting to the loopback interface so as you have discovered you need to allow outgoing connections to 127.0.0.1.
It is normal not to block the loopback interface as many services use it and doing so can cause problems.