Configure Linux iptables Firewall for MongoDB
On contemporary Linux systems, the iptables program provides methods for managing the Linux Kernel netfilter or network packet filtering capabilities. These firewall rules enable administrators to control which hosts can connect to the system, and limit risk exposure by limiting the hosts that can connect to a system.
Rules in iptables configurations fall into chains, which describe the process for filtering and processing specific streams of traffic. Chains have an order, and packets must pass through earlier rules in a chain to reach later rules. Only the following chains are addressed here:
- INPUT — Controls all incoming traffic
- OUTPUT — Controls all outgoing traffic
The default policy of iptables is to allow all connections and traffic unless explicitly disabled.
Allow traffic from the MyIT and Smart IT server to and from mongod Instances
This pattern is applicable to all mongod instances running as stand-alone instances or as part of a replica set.
The goal of this pattern is to explicitly allow traffic to the mongod instance from the MyIT and Smart IT server. In the following examples, replace <ip-address> with the IP address of the MyIT and Smart IT server:
iptables -A INPUT -s <ip-address> -p tcp --destination-port 27017 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -d <ip-address> -p tcp --source-port 27017 -m state --state ESTABLISHED -j ACCEPT
The first rule allows all incoming traffic from <ip-address> on port 27017, which allows the application server to connect to the mongod instance. The second rule allows outgoing traffic from the mongod instance to reach the application server.
Change default policy to DROP
The default policy for iptableschains is to allow all traffic. After completing all iptablesconfiguration changes, you must change the default policy to DROP so that all traffic that is not explicitly allowed will be unable to reach components of the MongoDB deployment. To change this policy, issue the following commands:
iptables -P INPUT DROP
iptables -P OUTPUT DROP
Make all iptables rules persistent
By default, all iptables rules are stored in memory only. When your system restarts, your firewall rules revert to their defaults. When you have tested a rule set and have guaranteed that it effectively controls traffic, you can use the following operations to make the rule set persistent:
On Red Hat Enterprise Linux, Fedora Linux, and related distributions, issue the following command:
service iptables save
On Debian, Ubuntu, and related distributions, use the following command to dump the iptables rules to the /etc/iptables.conf file:
iptables-save > /etc/iptables.conf
Run the following operation to restore the network rules:
iptables-restore < /etc/iptables.conf
Add this command to the rc.local file or the /etc/network/if-up.d/iptables file with other similar operations.