Configure Linux iptables Firewall for MongoDB

On contemporary Linux systems, the iptables program providesmethods for managing the Linux Kernel’s netfilter or networkpacket filtering capabilities. These firewall rules make it possiblefor administrators to control what hosts can connect to the system,and limit risk exposure by limiting the hosts that can connect to asystem.

This document outlines basic firewall configurations for iptablesfirewalls on Linux. Use these approaches as a starting point for yourlarger networking organization. For a detailed overview of securitypractices and risk management for MongoDB, see Security.

See also

For MongoDB deployments on Amazon’s web services, see theAmazon EC2 page, which addresses Amazon’sSecurity Groups and other EC2-specific security features.

Overview

Rules in iptables configurations fall into chains, which describethe process for filtering and processing specific streams oftraffic. Chains have an order, and packets must pass through earlierrules in a chain to reach later rules. This document addresses only thefollowing two chains:

  • INPUT
  • Controls all incoming traffic.
  • OUTPUT
  • Controls all outgoing traffic.

Given the default ports of allMongoDB processes, you must configure networking rules that permit _only_required communication between your application and the appropriatemongod and mongos instances.

Be aware that, by default, the default policy of iptables is toallow all connections and traffic unless explicitly disabled. Theconfiguration changes outlined in this document will create rules thatexplicitly allow traffic from specific addresses and on specificports, using a default policy that drops all traffic that is notexplicitly allowed. When you have properly configured youriptables rules to allow only the traffic that you want to permit,you can Change Default Policy to DROP.

Patterns

This section contains a number of patterns and examples forconfiguring iptables for use with MongoDB deployments. If you haveconfigured different ports using the port configurationsetting, you will need to modify the rules accordingly.

Traffic to and from mongod Instances

This pattern is applicable to all mongod instances runningas standalone instances or as part of a replica set.

The goal of this pattern is to explicitly allow traffic to themongod instance from the application server. In thefollowing examples, replace <ip-address> with the IP address ofthe application server:

  1. iptables -A INPUT -s <ip-address> -p tcp --destination-port 27017 -m state --state NEW,ESTABLISHED -j ACCEPT
  2. iptables -A OUTPUT -d <ip-address> -p tcp --source-port 27017 -m state --state ESTABLISHED -j ACCEPT

The first rule allows all incoming traffic from <ip-address> onport 27017, which allows the application server to connect to themongod instance. The second rule, allows outgoing trafficfrom the mongod to reach the application server.

Optional

If you have only one application server, you can replace<ip-address> with either the IP address itself, such as:198.51.100.55. You can also express this using CIDR notation as198.51.100.55/32. If you want to permit a larger block ofpossible IP addresses you can allow traffic from a /24 usingone of the following specifications for the <ip-address>, asfollows:

  1. 10.10.10.10/24
  2. 10.10.10.10/255.255.255.0

Traffic to and from mongos Instances

mongos instances provide query routing for shardedclusters. Clients connect to mongos instances, whichbehave from the client’s perspective as mongodinstances. In turn, the mongos connects to allmongod instances that are components of the shardedcluster.

Use the same iptables command to allow traffic to and from theseinstances as you would from the mongod instances that aremembers of the replica set. Take the configuration outlined in theTraffic to and from mongod Instances section as an example.

Traffic to and from a MongoDB Config Server

Config servers host the config database that stores metadatafor sharded clusters. Config servers listen for connections on port27019. As a result, add the following iptables rules to theconfig server to allow incoming and outgoing connection on port27019, for connection to the other config servers.

  1. iptables -A INPUT -s <ip-address> -p tcp --destination-port 27019 -m state --state NEW,ESTABLISHED -j ACCEPT
  2. iptables -A OUTPUT -d <ip-address> -p tcp --source-port 27019 -m state --state ESTABLISHED -j ACCEPT

Replace <ip-address> with the address or address space of _all_the mongod that provide config servers.

Additionally, config servers need to allow incoming connections fromall of the mongos instances in the cluster and allmongod instances in the cluster. Add rules thatresemble the following:

  1. iptables -A INPUT -s <ip-address> -p tcp --destination-port 27019 -m state --state NEW,ESTABLISHED -j ACCEPT

Replace <ip-address> with the address of themongos instances and the shard mongodinstances.

Traffic to and from a MongoDB Shard Server

Shard servers default to port number27018. You must configure the following iptables rules to allowtraffic to and from each shard:

  1. iptables -A INPUT -s <ip-address> -p tcp --destination-port 27018 -m state --state NEW,ESTABLISHED -j ACCEPT
  2. iptables -A OUTPUT -d <ip-address> -p tcp --source-port 27018 -m state --state ESTABLISHED -j ACCEPT

Replace the <ip-address> specification with the IP address of allmongod. This allows you to permit incoming and outgoingtraffic between all shards including constituent replica set members,to:

  • all mongod instances in the shard’s replica sets.
  • all mongod instances in other shards. [1]

Furthermore, shards need to be able make outgoing connections to:

  • all mongod instances in the config servers.

Create a rule that resembles the following, and replace the<ip-address> with the address of the config servers and themongos instances:

  1. iptables -A OUTPUT -d <ip-address> -p tcp --source-port 27018 -m state --state ESTABLISHED -j ACCEPT
[1]All shards in a cluster need to be able tocommunicate with all other shards to facilitate chunk andbalancing operations.

Provide Access For Monitoring Systems

The mongostat diagnostic tool, when running with the—discover needs to be able to reachall components of a cluster, including the config servers, the shardservers, and the mongos instances.

Changed in version 3.6: MongoDB 3.6 removes the deprecated HTTP interface and REST API toMongoDB.

Change Default Policy to DROP

The default policy for iptables chains is to allow alltraffic. After completing all iptables configuration changes, youmust change the default policy to DROP so that all traffic thatisn’t explicitly allowed as above will not be able to reach componentsof the MongoDB deployment. Issue the following commands to change thispolicy:

  1. iptables -P INPUT DROP
  2.  
  3. iptables -P OUTPUT DROP

Manage and Maintain iptables Configuration

This section contains a number of basic operations for managing andusing iptables. There are various front end tools that automatesome aspects of iptables configuration, but at the core alliptables front ends provide the same basic functionality:

Make all iptables Rules Persistent

By default all iptables rules are only stored in memory. Whenyour system restarts, your firewall rules will revert to theirdefaults. When you have tested a rule set and have guaranteed that iteffectively controls traffic you can use the following operations toyou should make the rule set persistent.

On Red Hat Enterprise Linux, Fedora Linux, and related distributionsyou can issue the following command:

  1. service iptables save

On Debian, Ubuntu, and related distributions, you can use thefollowing command to dump the iptables rules to the/etc/iptables.conf file:

  1. iptables-save > /etc/iptables.conf

Run the following operation to restore the network rules:

  1. iptables-restore < /etc/iptables.conf

Place this command in your rc.local file, or in the/etc/network/if-up.d/iptables file with other similar operations.

List all iptables Rules

To list all of currently applied iptables rules, use the followingoperation at the system shell.

  1. iptables -L

Flush all iptables Rules

If you make a configuration mistake when entering iptables rulesor simply need to revert to the default rule set, you can use thefollowing operation at the system shell to flush all rules:

  1. iptables -F

If you’ve already made your iptables rules persistent, you willneed to repeat the appropriate procedure in theMake all iptables Rules Persistent section.