Limited support This version of the product is in limited support. However, the documentation is available for your convenience. You will not be able to leave comments. Click here to view the documentation for the current version.

Configure Linux iptables Firewall for MongoDB

On contemporary Linux systems, the iptables program provides methods for managing the Linux Kernel netfilter or network packet filtering capabilities. These firewall rules enable administrators to control which hosts can connect to the system, and limit risk exposure by limiting the hosts that can connect to a system.

Rules in iptables configurations fall into chains, which describe the process for filtering and processing specific streams of traffic. Chains have an order, and packets must pass through earlier rules in a chain to reach later rules. Only the following chains are addressed here:

  • INPUT — Controls all incoming traffic
  • OUTPUT — Controls all outgoing traffic

The default policy of iptables is to allow all connections and traffic unless explicitly disabled.

Note

If you have used the port configuration setting to configure different ports, you must modify the rules accordingly.

Allow traffic from the BMC Digital Workplace and Smart IT server to and from mongod Instances

This pattern is applicable to all mongod instances running as stand-alone instances or as part of a replica set.

The goal of this pattern is to explicitly allow traffic to the mongod instance from the BMC Digital Workplace and Smart IT server. In the following examples, replace <ip-address> with the IP address of the BMC Digital Workplace and Smart IT server:

iptables -A INPUT -s <ip-address> -p tcp --destination-port 27017 -m state --state NEW,ESTABLISHED -j ACCEPT 
 
iptables -A OUTPUT -d <ip-address> -p tcp --source-port 27017 -m state --state ESTABLISHED -j ACCEPT

The first rule allows all incoming traffic from <ip-address> on port 27017, which allows the application server to connect to the mongod instance. The second rule allows outgoing traffic from the mongod instance to reach the application server.

Change default policy to DROP

The default policy for iptableschains is to allow all traffic. After completing all iptablesconfiguration changes, you must change the default policy to DROP so that all traffic that is not explicitly allowed will be unable to reach components of the MongoDB deployment. To change this policy, issue the following commands:

iptables -P INPUT DROP
iptables -P OUTPUT DROP

Make all iptables rules persistent

By default, all iptables rules are stored in memory only. When your system restarts, your firewall rules revert to their defaults. When you have tested a rule set and have guaranteed that it effectively controls traffic, you can use the following operations to make the rule set persistent:

On Red Hat Enterprise Linux, Fedora Linux, and related distributions, issue the following command:

service iptables save

On Debian, Ubuntu, and related distributions, use the following command to dump the iptables rules to the /etc/iptables.conf file:

iptables-save > /etc/iptables.conf

Run the following operation to restore the network rules:

iptables-restore < /etc/iptables.conf

Add this command to the rc.local file or the /etc/network/if-up.d/iptables file with other similar operations.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*