iptables阻止与mongodb的本地连接 [英] iptables blocking local connection to mongodb

问题描述

我有一个带有mongodb(2.0.4)的VM(Ubuntu 12.04.4 LTS)，我想用iptables限制它只接受SSH(输入/输出)，而没有其他东西. 这是我的设置脚本如何设置规则的样子:

I have a VM (Ubuntu 12.04.4 LTS) with mongodb (2.0.4) that I want to restrict with iptables to only accepting SSH (in/out) and nothing else. This is how my setup script looks like to setup the rules:

#!/bin/sh

# DROP everything
iptables -F
iptables -X
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP

# input
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -j ACCEPT  # accept all ports for local conns

# output
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT  # ssh

但是激活了这些规则后，我无法在本地连接到mongodb.

But with these rules activated, I can't connect to mongodb locally.

ubuntu ~ $ mongo
MongoDB shell version: 2.0.4
connecting to: test
Fri Mar 28 09:40:40 Error: couldn't connect to server 127.0.0.1 shell/mongo.js:84
exception: connect failed

没有它们，效果很好.部署mongodb时是否需要考虑任何特殊的防火墙情况?

Without them, it works fine. Is there any special firewall case one needs to consider when deploying mongodb?

我尝试安装mysql，它非常适合本地连接. SSH可以正常工作(可以从内部和外部连接).

I tried installing mysql, and it works perfectly for local connections. SSH works as exepected (can connect from outside and inside).

iptables规则设置如下:

The iptables rules looks like this once set:

ubuntu ~ $ sudo iptables -nvL
Chain INPUT (policy DROP 8 packets, 1015 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  449  108K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  *      *       127.0.0.1            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
   32  2048 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 27 packets, 6712 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  379  175K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22

推荐答案

环回(127.0.0.1)也必须接受出站流量.

Outbound traffic must be accepted for the loopback (127.0.0.1) as well.

添加它使它起作用:

iptables -A OUTPUT -o lo -j ACCEPT

这篇关于iptables阻止与mongodb的本地连接的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！