我有一个带有mongodb(2.0.4)的VM(Ubuntu 12.04.4 LTS),我想用iptables限制只接受SSH(进/出)而不是别的.这就是我的设置脚本设置规则的方式:
#!/bin/sh
# DROP everything
iptables -F
iptables -X
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
# input
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -j ACCEPT # accept all ports for local conns
# output
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT # ssh
但是这些规则被激活后,我无法在本地连接到mongodb.
ubuntu ~ $ mongo
MongoDB shell version: 2.0.4
connecting to: test
Fri Mar 28 09:40:40 Error: couldn't connect to server 127.0.0.1 shell/mongo.js:84
exception: connect failed
没有它们,它工作正常.在部署mongodb时是否需要考虑特殊的防火墙案例?
我尝试安装mysql,它适用于本地连接.SSH按预期工作(可以从外部和内部连接).
一旦设置,iptables规则就像这样:
ubuntu ~ $ sudo iptables -nvL
Chain INPUT (policy DROP 8 packets, 1015 bytes)
pkts bytes target prot opt in out source destination
449 108K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
32 2048 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 27 packets, 6712 bytes)
pkts bytes target prot opt in out source destination
379 175K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
环回(127.0.0.1)也必须接受出站流量.
添加这个使它工作:
iptables -A OUTPUT -o lo -j ACCEPT
| 归档时间: |
|
| 查看次数: |
1400 次 |
| 最近记录: |