|
2 | 2 | Configure Linux ``iptables`` Firewall for MongoDB |
3 | 3 | ================================================= |
4 | 4 |
|
5 | | -The ``iptables`` program manages the firewall rules on Linux and |
6 | | -typically comes built in with each Linux distribution. For this |
7 | | -article we only need to worry about two ``iptables`` chains: |
| 5 | +On contemporary Linux systems, the ``iptables`` program provides |
| 6 | +methods for managing the Linux Kernel's ``netfilter`` or network |
| 7 | +packet filtering capabilities. These firewall rules make it possible |
| 8 | +for administrators to control what hosts can connect to the system, |
| 9 | +and limit risk exposure by limiting the hosts that can connect to a |
| 10 | +system. |
| 11 | + |
| 12 | +This document outlines basic firewall configurations for ``iptables`` |
| 13 | +firewalls on Linux. Use these approaches as a starting point for your |
| 14 | +larger networking organization. For a detailed over view of security |
| 15 | +practices and risk management for MongoDB, see :doc:`/core/security`. |
| 16 | + |
| 17 | +Overview |
| 18 | +-------- |
| 19 | + |
| 20 | +Rules in ``iptables`` configurations fall into chains, which describe |
| 21 | +the process for filtering and processing specific streams of |
| 22 | +traffic. Chains have an order, and packets must pass through earlier |
| 23 | +rules in a chain to reach later rules. This document only the |
| 24 | +following two chains: |
| 25 | + |
| 26 | +``INPUT`` |
| 27 | + Controls all incoming traffic. |
| 28 | + |
| 29 | +``OUTPUT`` |
| 30 | + Controls all outgoing traffic. |
| 31 | + |
| 32 | +Given the :ref:`default ports <security-port-numbers>` of all MongoDB |
| 33 | +processes, you must configure networking rules that permit *only* |
| 34 | +required communication between your application and the appropriate |
| 35 | +:program:`mongod` and :program:`mongos` instances. |
| 36 | + |
| 37 | +Be aware that, by default, the default policy of ``iptables`` is to |
| 38 | +allow all connections and traffic unless explicitly disabled. THe |
| 39 | +configuration changes outlined in this document will create rules that |
| 40 | +explicitly allow traffic from specific addresses and on specific ports |
| 41 | +ports, using a default policy that drops all traffic that is not |
| 42 | +explicitly allowed. When you have properly configured your |
| 43 | +``iptables`` rules to allow only the traffic that you want to permit, |
| 44 | +you can :ref:`iptables-change-default-policy-to-drop`. |
| 45 | + |
| 46 | +Patterns |
| 47 | +-------- |
| 48 | + |
| 49 | +This section contains a number of patterns and examples for |
| 50 | +configuring ``iptables`` for use with MongoDB deployments. If you have |
| 51 | +configured different ports using the :setting:`port` configuration |
| 52 | +setting, you will need to modify the rules accordingly. |
| 53 | + |
| 54 | +.. _iptables-basic-rule-set: |
| 55 | + |
| 56 | +Traffic to and from ``mongod`` Instances |
| 57 | +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 58 | + |
| 59 | +This pattern is applicable to all :program:`mongod` instances running |
| 60 | +as standalone instances or as part of a :term:`replica set`. |
| 61 | + |
| 62 | +The goal of this pattern is to explicitly allow traffic to the |
| 63 | +:program:`mongod` instance from the application server. In the |
| 64 | +following examples, replace ``<ip-address>`` with the IP address of |
| 65 | +the application server: |
8 | 66 |
|
9 | | -Input: filters traffic destined for the firewall |
| 67 | +.. code-block:: sh |
10 | 68 |
|
11 | | -Output: filters traffic from the firewall |
| 69 | + iptables -A INPUT -s <ip-address> -p tcp --destination-port 27017 -m state --state NEW,ESTABLISHED -j ACCEPT |
| 70 | + iptables -A OUTPUT -d <ip-address> -p tcp --source-port 27017 -m state --state ESTABLISHED -j ACCEPT |
12 | 71 |
|
13 | | -By default, ``iptables`` allows all connections so it's a good idea |
14 | | -to change the default chain policy to DROP: |
| 72 | +The first rule allows all incoming traffic from ``<ip-address>`` on |
| 73 | +port ``27017``, which allows the application server to connect to the |
| 74 | +:program:`mongod` instance. The second rule, allows ougoing traffic |
| 75 | +from the :program:`mongod` to reach the application serer. |
| 76 | + |
| 77 | +.. optional:: |
| 78 | + |
| 79 | + If you have only one application server, you can replace |
| 80 | + ``<ip-address>`` with either the IP address itself, such as: |
| 81 | + ``198.51.100.55``. You can also express this using CIDR notation as |
| 82 | + ``198.51.100.55/32``. If you want to permit a larger block of |
| 83 | + possible IP addresses you can allow traffic from a ``/24`` using |
| 84 | + one of the following specifications for the ``<ip-address>``, as |
| 85 | + follows: |
| 86 | + |
| 87 | + .. code-block:: sh |
| 88 | + |
| 89 | + 10.10.10.10/24 |
| 90 | + 10.10.10.10/255.255.255.0 |
| 91 | + |
| 92 | +Traffic to and from ``mongos`` Instances |
| 93 | +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 94 | + |
| 95 | +:program:`mongos` instances provide query routing for :term:`sharded |
| 96 | +clusters sharded`. Clients connect to :program:`mongos` instances, |
| 97 | +which behave from the client's perspective as :program:`mongod` |
| 98 | +instances. In turn, the :program:`mongos` connects to all |
| 99 | +:program:`mongod` instances that are components of the sharded |
| 100 | +cluster. |
| 101 | + |
| 102 | +Use the same ``iptables`` command to allow traffic to and from these |
| 103 | +instances as you would from the :program:`mongod` instances that are |
| 104 | +members of the replica set. Take the configuration outlined in the |
| 105 | +:ref:`iptables-basic-rule-set` section as an example. |
| 106 | + |
| 107 | +Traffic to and from a MongoDB Config Server |
| 108 | +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 109 | + |
| 110 | +Config servers, host the :term:`config database` that stores metadata |
| 111 | +for sharded clusters. Each production shard cluster has three config |
| 112 | +servers, initiated using the :option:`mongod --configsvr` |
| 113 | +option. [#config-option]_ Config servers listen for connections on the |
| 114 | +``27019``. As a result, add the following ``iptables`` rules to the |
| 115 | +config server to allow incoming and outgoing connection on port |
| 116 | +``27019``, for connection to the other config servers. |
15 | 117 |
|
16 | 118 | .. code-block:: sh |
17 | 119 |
|
18 | | - iptables -P INPUT DROP |
19 | | - |
20 | | - iptables -P OUTPUT DROP |
21 | | - |
22 | | -This ensures that any traffic to/from the :program:`mongod` server has |
23 | | -to be explicitly allowed. |
| 120 | + iptables -A INPUT -s <ip-address> -p tcp --destination-port 27019 -m state --state NEW,ESTABLISHED -j ACCEPT |
| 121 | + iptabwles -A OUTPUT -d <ip-address> -p tcp --source-port 27019 -m state --state ESTABLISHED -j ACCEPT |
24 | 122 |
|
25 | | -Traffic to/from a Standalone MongoDB Instance or Replica-Set |
26 | | -MongoDB Instance (mongod) |
| 123 | +Replace ``<ip-address>`` with the address or address space of *all* |
| 124 | +the :program:`mongod` that provide config servers. |
27 | 125 |
|
28 | | -To explicitly allow :program:`mongod` traffic to the database server |
29 | | -running :program:`mongod` from the app server (represented by |
30 | | -``<ip-address>``): |
| 126 | +Additionally, config servers need to allow incoming connections from |
| 127 | +all of the :program:`mongos` instances in the cluster *and* all |
| 128 | +:program:`mongod` instances in the shard cluster. Add rules that |
| 129 | +resemble the following: |
31 | 130 |
|
32 | 131 | .. code-block:: sh |
33 | 132 |
|
34 | | - iptables -A INPUT -s <ip-address> -p tcp --destination-port 27017 -m state --state NEW,ESTABLISHED -j ACCEPT |
| 133 | + iptables -A INPUT -s <ip-address> -p tcp --destination-port 27019 -m state --state NEW,ESTABLISHED -j ACCEPT |
35 | 134 |
|
36 | | -and back to the app server from the database server: |
| 135 | +Replace ``<ip-address>`` with the address address of the |
| 136 | +:program:`mongos` instances and the shard :program:`mongod` |
| 137 | +instances. |
37 | 138 |
|
38 | | -.. code-block:: sh |
| 139 | +.. [#config-option] You can also run a config server by setting the |
| 140 | + :setting:`configsvr` option in a configuration file. |
39 | 141 |
|
40 | | - iptables -A OUTPUT -d <ip-address> -p tcp --source-port 27017 -m state --state ESTABLISHED -j ACCEPT |
| 142 | +Traffic to and from a MongoDB Shard Server |
| 143 | +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
41 | 144 |
|
42 | | -Note: If you have one app-server (e.g. 10.10.10.10), then host can |
43 | | -be represented by |
| 145 | +For shard servers, running as :option:`mongod --shardsvr` |
| 146 | +[#shard-option]_ Because the default port number when running with |
| 147 | +:setting:`shardsvr` is ``27018``, you must configure the following |
| 148 | +``iptables`` rules to allow traffic to and from each shard: |
44 | 149 |
|
45 | 150 | .. code-block:: sh |
46 | 151 |
|
47 | | - 10.10.10.10 or 10.10.10.10/32 |
48 | | - |
49 | | -whereas for a /24 network, it can be |
50 | | - |
51 | | -.. code-block:: sh |
| 152 | + iptables -A INPUT -s <ip-address> -p tcp --destination-port 27018 -m state --state NEW,ESTABLISHED -j ACCEPT |
| 153 | + iptables -A OUTPUT -d <ip-address> -p tcp --source-port 27018 -m state --state ESTABLISHED -j ACCEPT |
52 | 154 |
|
53 | | - 10.10.10.10/24 |
| 155 | +Replace the ``<ip-address>`` specification with the IP address of all |
| 156 | +:program:`mongod`. This allows you to permit incoming and outgoing |
| 157 | +traffic between all shards including constituent replica set members, |
| 158 | +to: |
54 | 159 |
|
55 | | -or |
| 160 | +- all :program:`mongod` instances in the shard's replica sets. |
56 | 161 |
|
57 | | -.. code-block:: sh |
| 162 | +- all :program:`mongod` instances in other shards. [#migrations]_ |
58 | 163 |
|
59 | | - 10.10.10.10/255.255.255.0 |
| 164 | +Furthermore, shards need to be able make outgoing connections to: |
60 | 165 |
|
61 | | -Traffic to/from a MongoDB Query Router (mongos) |
62 | | -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 166 | +- all :program:`mongos` instances. |
63 | 167 |
|
64 | | -The above firewall rules will also typically apply to the |
65 | | -:program:`mongos` |
66 | | -server as it listens on TCP port 27017, by default, with |
67 | | -<ip-address> still representing the app server. |
| 168 | +- all :program:`mongod` instances in the config servers. |
68 | 169 |
|
69 | | -Traffic to/from a MongoDB Config Server (mongod --configsvr) |
70 | | -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
71 | | - |
72 | | -On the config server, by default, the :program:`mongod` binary listens on |
73 | | -port 27019 and, therefore, the iptables rules become: |
| 170 | +Create a rule that resembles the following, and replace the |
| 171 | +``<ip-address>`` with the address of the config servers and the |
| 172 | +:program:`mongos` instances: |
74 | 173 |
|
75 | 174 | .. code-block:: sh |
76 | 175 |
|
77 | | - iptables -A INPUT -s <ip-address> -p tcp --destination-port 27019 -m state --state NEW,ESTABLISHED -j ACCEPT |
| 176 | + iptables -A OUTPUT -d <ip-address> -p tcp --source-port 27018 -m state --state ESTABLISHED -j ACCEPT |
78 | 177 |
|
79 | | -and back to the Config server from the :program:`mongos` server - |
| 178 | +.. [#shard-option] You can also specify the shard server option using |
| 179 | + the :setting:`shardsvr` setting in the configuration file. Shard |
| 180 | + members are also often conventional replica sets using the default |
| 181 | + port. |
80 | 182 |
|
81 | | -.. code-block:: sh |
| 183 | +.. [#migrations] All shards in a cluster need to be able to |
| 184 | + communicate with all other shards to facilitate :term:`chunk` and |
| 185 | + balancing operations. |
82 | 186 |
|
83 | | - iptables -A OUTPUT -d <ip-address> -p tcp --source-port 27019 -m state --state ESTABLISHED -j ACCEPT |
| 187 | +.. _iptables-change-default-policy-to-drop: |
84 | 188 |
|
85 | | -Traffic to/from a MongoDB Shard Server (:program:`mongod --shardsvr`) |
86 | | -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 189 | +Change Default Policy to ``DROP`` |
| 190 | +--------------------------------- |
87 | 191 |
|
88 | | -On a shard server, by default, the :program:`mongod` binary listens on port |
89 | | -27018 and, therefore, the ``iptables`` rules become: |
| 192 | +The default policy for ``iptables`` chains is to allow all |
| 193 | +traffic. After completing all ``iptables`` configuration changes, you |
| 194 | +*must* change the default policy to ``DROP`` so that all traffic that |
| 195 | +isn't explicitly allowed as above will not be able to reach components |
| 196 | +of the MongoDB deployment. Issue the following commands to change this |
| 197 | +policy: |
90 | 198 |
|
91 | 199 | .. code-block:: sh |
92 | 200 |
|
93 | | - iptables -A INPUT -s <ip-address> -p tcp --destination-port 27018 -m state --state NEW,ESTABLISHED -j ACCEPT |
| 201 | + iptables -P INPUT DROP |
94 | 202 |
|
95 | | -and back to the config server from the :program:`mongos` server - |
| 203 | + iptables -P OUTPUT DROP |
96 | 204 |
|
97 | | -.. code-block:: sh |
98 | 205 |
|
99 | | - iptables -A OUTPUT -d <ip-address> -p tcp --source-port 27018 -m state --state ESTABLISHED -j ACCEPT |
| 206 | +Manage and Maintain ``iptables`` Configuration |
| 207 | +---------------------------------------------- |
100 | 208 |
|
101 | | -In a sharded infrastructure, the :program:`mongos` router needs |
102 | | -to connect to :program:`mongod` shard servers and the shard servers |
103 | | -need to connect and communicate amongst themselves. |
| 209 | +This section contains a number of basic operations for managing and |
| 210 | +using ``iptables``. There are various front end tools that automate |
| 211 | +some aspects of ``iptables`` configuration, but at the core all |
| 212 | +``iptables`` front ends provide the same basic functionality: |
104 | 213 |
|
105 | | -Back-Out & Flush iptables rules |
106 | | -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 214 | +.. _iptables-make-all-rules-persistent: |
107 | 215 |
|
108 | | -To remove the ``iptables`` firewall rules and revert to the default |
109 | | -action of each chain, it is possible to flush all existing rules |
110 | | -as follows: |
| 216 | +Make all ``iptables`` Rules Persistent |
| 217 | +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
111 | 218 |
|
112 | | -iptables –F |
| 219 | +By default all ``iptables`` rules are are only stored in memory. When |
| 220 | +your system restarts, your firewall rules will revert to their |
| 221 | +defaults. When you have tested a rule set and have guaranteed that it |
| 222 | +effectively controls traffic you can use the following operations to |
| 223 | +you should make the rule set persistent. |
113 | 224 |
|
114 | | -This change is only temporary as it only affects the rulebase in |
115 | | -memory. For example, a restart: |
| 225 | +On Red Hat Enterprise Linux, Fedora Linux, and related distributions |
| 226 | +you can issue the following command: |
116 | 227 |
|
117 | 228 | .. code-block:: sh |
118 | 229 |
|
119 | | - iptables stop && iptables start |
| 230 | + service iptables save |
| 231 | + |
| 232 | +On Debian, Ubuntu, and related distributions, you can use the |
| 233 | +following command to dump the ``iptables`` rules to the |
| 234 | +``/etc/iptables.conf`` file: |
| 235 | + |
| 236 | +.. code-block:: sh |
120 | 237 |
|
121 | | -will result in the original rules returning. |
122 | | -Therefore, to make the flush permanent, you need to save the change: |
| 238 | + iptables-save > /etc/iptables.conf |
| 239 | + |
| 240 | +Run the following operation to restore the network rules: |
123 | 241 |
|
124 | 242 | .. code-block:: sh |
125 | 243 |
|
126 | | - service iptables save |
| 244 | + iptables-restore < /etc/iptables.conf |
127 | 245 |
|
128 | | -View iptables rules |
| 246 | +Place this command in your ``rc.local`` file, or in the |
| 247 | +``/etc/network/if-up.d/iptables`` file with other similar operations.q |
129 | 248 |
|
130 | | -To view the ``iptables`` firewall rules: |
| 249 | +List all ``iptables`` Rules |
| 250 | +~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 251 | + |
| 252 | +To list all of currently applied ``iptables`` rules, use the following |
| 253 | +operation at the system shell. |
131 | 254 |
|
132 | 255 | .. code-block:: sh |
133 | 256 |
|
134 | | - iptables –L |
| 257 | + iptables --L |
| 258 | + |
135 | 259 |
|
| 260 | +Flush all ``iptables`` Rules |
| 261 | +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
136 | 262 |
|
137 | | -This is only a high-level, MongoDB specific introduction to |
138 | | -`iptables` rules. |
| 263 | +If you make a configuration mistake when entering ``iptables`` rules |
| 264 | +or simply need to revert to the default rule set, you can use the |
| 265 | +following operation at the system shell to flush all rules: |
| 266 | + |
| 267 | +.. code-block:: sh |
139 | 268 |
|
140 | | -There are a substantial amount of free resources on the Internet |
141 | | -regarding ``iptables`` configurations. It is also possible to |
142 | | -configure ``iptables`` through a GUI, however, this is not within |
143 | | -scope for this tutorial. |
| 269 | + iptables --F |
144 | 270 |
|
| 271 | +If you've already made your ``iptables`` rules persistent, you will |
| 272 | +need to repeate the appropriate procedure in the |
| 273 | +:ref:`iptables-make-all-rules-persistent` section. |
0 commit comments