Linux – iptables blocking local connection to mongodb

iptableslinuxmongodb

I have a VM (Ubuntu 12.04.4 LTS) with mongodb (2.0.4) that I want to restrict with iptables to only accepting SSH (in/out) and nothing else. This is how my setup script looks like to setup the rules:

#!/bin/sh

# DROP everything
iptables -F
iptables -X
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP

# input
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -j ACCEPT  # accept all ports for local conns

# output
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT  # ssh

But with these rules activated, I can't connect to mongodb locally.

ubuntu ~ $ mongo
MongoDB shell version: 2.0.4
connecting to: test
Fri Mar 28 09:40:40 Error: couldn't connect to server 127.0.0.1 shell/mongo.js:84
exception: connect failed

Without them, it works fine. Is there any special firewall case one needs to consider when deploying mongodb?

I tried installing mysql, and it works perfectly for local connections. SSH works as exepected (can connect from outside and inside).

The iptables rules looks like this once set:

ubuntu ~ $ sudo iptables -nvL
Chain INPUT (policy DROP 8 packets, 1015 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  449  108K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  *      *       127.0.0.1            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
   32  2048 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 27 packets, 6712 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  379  175K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22

I did notice that if I add an OUTPUT rule for mongodb port 27017 (tcp, all destinations allowed) it works.
So I guess it has something to do with output? But why would mongodb not allow accept a local connection due to outgoing traffic from the host ?!

Best Answer

A connection consists of a source IP:Port and a destination IP:Port. Packets from the source IP:Port have to traverse the OUTPUT chain. This happens even when you are connecting to the loopback interface so as you have discovered you need to allow outgoing connections to 127.0.0.1.

It is normal not to block the loopback interface as many services use it and doing so can cause problems.

Related Topic