58585

iptables blocking local connection to mongodb

I have a VM (Ubuntu 12.04.4 LTS) with mongodb (2.0.4) that I want to restrict with iptables to only accepting SSH (in/out) and nothing else. This is how my setup script looks like to setup the rules:

#!/bin/sh # DROP everything iptables -F iptables -X iptables -P FORWARD DROP iptables -P INPUT DROP iptables -P OUTPUT DROP # input iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -s 127.0.0.1 -j ACCEPT # accept all ports for local conns # output iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT # ssh

But with these rules activated, I can't connect to mongodb locally.

ubuntu ~ $ mongo MongoDB shell version: 2.0.4 connecting to: test Fri Mar 28 09:40:40 Error: couldn't connect to server 127.0.0.1 shell/mongo.js:84 exception: connect failed

Without them, it works fine. Is there any special firewall case one needs to consider when deploying mongodb?

I tried installing mysql, and it works perfectly for local connections. SSH works as exepected (can connect from outside and inside).

The iptables rules looks like this once set:

ubuntu ~ $ sudo iptables -nvL Chain INPUT (policy DROP 8 packets, 1015 bytes) pkts bytes target prot opt in out source destination 449 108K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 32 2048 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy DROP 27 packets, 6712 bytes) pkts bytes target prot opt in out source destination 379 175K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22

Answer1:

Outbound traffic must be accepted for the loopback (127.0.0.1) as well.

Adding this made it work:

iptables -A OUTPUT -o lo -j ACCEPT

Answer2:

You migth want to try, substituting the line

iptables -A INPUT -s 127.0.0.1 -j ACCEPT

With

iptables -A INPUT -i lo -j ACCEPT

Recommend

  • SetMaxOpenConns and SetMaxIdleConns
  • How to get OS version and Device Name of an Android device connected via USB with C#.net (VS2010/4.0
  • SVG background image in IE9
  • GWT 2.7 Logging Is Not Working
  • nginx, upstream, cors fail
  • Batch Command Conflict
  • How do I retrieve table names in Cassandra using Java?
  • unable to obtain stable firefox connection in 60 seconds
  • LG WEBOS : Could not connect to the device, please check the device connection
  • BBC micro:bit - Radio string transfer random carriage returns
  • UDP socket network disconnect behavior on Windows-Linux-Mac
  • Getting socket.io namespace from anywhere in the project
  • Exclusive access established by another Thread Java smartcardio
  • docker-compose: connection refused between containers, but service accessible from host
  • Issue when joining serf nodes located in different Docker containers
  • Unable to get CAP_CHOWN and CAP_DAC_OVERRIDE working for regular user
  • Multiple sockets for clients to connect to
  • Google OAuth2 for an web application hosted behind NAT (intranet server without public IP)
  • Delete std::shared_ptr without destroying the managed object?
  • Getting zero results in search using elastic4s
  • Python Paramiko send CTRL+C to an ssh shell
  • Setting src to Base64-encoded image with Javascript is failing
  • XOR with Neural Networks (Matlab)
  • pymongo replication secondary readreference not work
  • PushKit for VOIP iOS apps
  • HttpURLConnection Closing IO Streams
  • Yii2: Finding file and getting path in a directory tree
  • Clear activity stack before launching another activity
  • How to make R's read_csv2() recognise the text characters properly
  • Angular2 Response for preflight is invalid (redirect) from some GET requests
  • How do I configure context broker accept post requests from my remote sensor?
  • Implementation of State Monad
  • How can I enlarge video fullscreen without the affected interface project in as3?
  • PHP buffered output depending on server setting?
  • How do I pass the string value parameter of the selected list item from an auto-populated dropdown l
  • how to add data labels for bar graph in matlab
  • how does django model after text[] in postgresql [duplicate]
  • Cant find why the layout is getting smaller
  • Are Kotlin's Float, Int etc optimised to built-in types in the JVM? [duplicate]
  • costura.fody for a dll that references another dll