3

这是我的 iptables 配置:

sudo iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere            
  859  103K ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
    5   260 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh
    3   230 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:27017
    4   208 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:28017
    0     0 ACCEPT     all  --  any    any     localhost            anywhere            
    0     0 ACCEPT     all  --  any    any     111.111.111.111      anywhere            
    0     0 ACCEPT     all  --  any    any     222.222.222.222      anywhere            
   64  3844 DROP       all  --  any    any     anywhere             anywhere            

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 764 packets, 227K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  any    any     localhost            anywhere            
    0     0 ACCEPT     all  --  any    any     111.111.111.111      anywhere            
    0     0 ACCEPT     all  --  any    any     222.222.222.222      anywhere

如果我在浏览器中写入 ip,如果我的 mongodb 服务器使用端口 28017,我可以看到提示输入用户名和密码:

#ip mongodb server
000.000.000.000:28017

我想对除了这两个 ip 之外的任何人关闭 mongodb 端口:

111.111.111.111
222.222.222.222

我该怎么做?

4

3 回答 3

4

你能试试下面的iptables规则吗

-A INPUT -m state --state NEW -p tcp --destination-port 27017 -s 111.111.111.111 -j ACCEPT
-A INPUT -m state --state NEW -p tcp --destination-port 27017 -s 222.222.222.222 -j ACCEPT

看起来您忘记输入源 IP 标志了。

于 2013-04-08T10:41:36.943 回答
2

我已经删除了我的 iptables 这两行:

-A INPUT -p tcp -m tcp --dport 27017 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 28017 -j ACCEPT

现在无法从任何 ip 访问 mongdb 端口。

谢谢

于 2013-04-08T09:41:06.737 回答
0

我用来限制对 mongo 的外部访问的规则是:

$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  localhost            anywhere             tcp dpt:27017
ACCEPT     tcp  --  localhost            anywhere             tcp dpt:28017
ACCEPT     tcp  --  111.111.111.111      anywhere             tcp dpt:27017
ACCEPT     tcp  --  222.222.222.222      anywhere             tcp dpt:27017
ACCEPT     tcp  --  111.111.111.111      anywhere             tcp dpt:28017
ACCEPT     tcp  --  222.222.222.222      anywhere             tcp dpt:28017
DROP       tcp  --  anywhere             anywhere             tcp dpt:27017
DROP       tcp  --  anywhere             anywhere             tcp dpt:28017

您可以添加它们

sudo iptables -A INPUT -p tcp -m tcp --dport 27017 -s 127.0.0.1 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 28017 -s 127.0.0.1 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 27017 -s 111.111.111.111 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 27017 -s 222.222.222.222 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 28017 -s 111.111.111.111 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 28017 -s 222.222.222.222 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 27017 -j DROP
sudo iptables -A INPUT -p tcp -m tcp --dport 28017 -j DROP
于 2016-04-26T18:14:02.913 回答