iptables Firewall for MongoDBiptables防火墙On this page本页内容
On contemporary Linux systems, the 在当代Linux系统上,iptables program provides methods for managing the Linux Kernel's netfilter or network packet filtering capabilities. iptables程序提供了管理Linux内核的netfilter或网络包筛选功能的方法。These firewall rules make it possible for administrators to control what hosts can connect to the system, and limit risk exposure by limiting the hosts that can connect to a system.这些防火墙规则使管理员能够控制哪些主机可以连接到系统,并通过限制可以连接到系统的主机来限制风险暴露。
This document outlines basic firewall configurations for 本文档概述了Linux上iptables firewalls on Linux. iptables防火墙的基本防火墙配置。Use these approaches as a starting point for your larger networking organization. 使用这些方法作为你的大型网络组织的起点。For a detailed overview of security practices and risk management for MongoDB, see Security.有关MongoDB安全实践和风险管理的详细概述,请参阅安全。
Rules in iptables configurations fall into chains, which describe the process for filtering and processing specific streams of traffic. iptables配置中的规则分为多个链,这些链描述了筛选和处理特定流量流的过程。Chains have an order, and packets must pass through earlier rules in a chain to reach later rules. 链有一个顺序,数据包必须通过链中的早期规则才能到达后期规则。This document addresses only the following two chains:本文件仅涉及以下两个链:
INPUTOUTPUTGiven the default ports of all MongoDB processes, you must configure networking rules that permit only required communication between your application and the appropriate 考虑到所有MongoDB进程的默认端口,您必须配置网络规则,只允许应用程序与相应的mongod and mongos instances.mongod和mongos实例之间进行必要的通信。
Be aware that, by default, the default policy of 请注意,默认情况下,iptables is to allow all connections and traffic unless explicitly disabled. iptables的默认策略是允许所有连接和流量,除非明确禁用。The configuration changes outlined in this document will create rules that explicitly allow traffic from specific addresses and on specific ports, using a default policy that drops all traffic that is not explicitly allowed. 本文档中概述的配置更改将创建明确允许来自特定地址和特定端口的流量的规则,使用默认策略删除所有不明确允许的流量。When you have properly configured your 当您将iptables rules to allow only the traffic that you want to permit, you can Change Default Policy to DROP.iptables规则正确配置为仅允许您希望允许的流量时,您可以将默认策略更改为DROP。
This section contains a number of patterns and examples for configuring 本节包含配置用于MongoDB部署的iptables for use with MongoDB deployments. iptables的许多模式和示例。If you have configured different ports using the 如果使用port configuration setting, you will need to modify the rules accordingly.port配置设置配置了不同的端口,则需要相应地修改规则。
mongod Instancesmongod实例的流量This pattern is applicable to all 此模式适用于作为独立实例或副本集的一部分运行的所有mongod instances running as standalone instances or as part of a replica set.mongod实例。
The goal of this pattern is to explicitly allow traffic to the 此模式的目标是明确允许从应用程序服务器到mongod instance from the application server. mongod实例的流量。In the following examples, replace 在以下示例中,将<ip-address> with the IP address of the application server:<ip address>替换为应用程序服务器的ip地址:
iptables -A INPUT -s <ip-address> -p tcp --destination-port 27017 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -d <ip-address> -p tcp --source-port 27017 -m state --state ESTABLISHED -j ACCEPT
The first rule allows all incoming traffic from 第一条规则允许所有来自端口<ip-address> on port 27017, which allows the application server to connect to the mongod instance. 27017上<ip-address>的传入流量,这允许应用程序服务器连接到mongod实例。The second rule, allows outgoing traffic from the 第二条规则,允许来自mongod to reach the application server.mongod的传出流量到达应用程序服务器。
If you have only one application server, you can replace 如果只有一个应用程序服务器,则可以用ip地址本身替换<ip-address> with either the IP address itself, such as:198.51.100.55. <ip-address>,例如:198.51.100.55。You can also express this using CIDR notation as 您也可以使用CIDR表示法将其表示为198.51.100.55/32. 198.51.100.55/32。If you want to permit a larger block of possible IP addresses you can allow traffic from a 如果您想允许更大的可能IP地址块,可以使用以下/24 using one of the following specifications for the <ip-address>, as follows:<ip-address>规范之一允许来自某个/24的流量,如下所示:
10.10.10.10/24 10.10.10.10/255.255.255.0
mongos Instancesmongos实例的流量mongos instances provide query routing for sharded clusters. mongos实例为分片集群提供查询路由。Clients connect to 客户端连接到mongos instances, which behave from the client's perspective as mongod instances. mongos实例,从客户端的角度来看,mongos的行为就像mongod实例。In turn, the 反过来,mongos connects to all mongod instances that are components of the sharded cluster.mongos连接到作为分片集群组件的所有mongod实例。
Use the same 使用相同的iptables command to allow traffic to and from these instances as you would from the mongod instances that are members of the replica set. iptables命令来允许进出这些实例的流量,就像从作为副本集成员的mongod实例进行流量一样。Take the configuration outlined in the Traffic to and from 以往来mongod Instances section as an example.mongod实例部分中概述的配置为例。
Config servers host the config database that stores metadata for sharded clusters. 配置服务器托管config数据库,该数据inventory储分片集群的元数据。Config servers listen for connections on port 配置服务器侦听端口27019. 27019上的连接。As a result, add the following 因此,将以下iptables rules to the config server to allow incoming and outgoing connection on port 27019, for connection to the other config servers.iptables规则添加到配置服务器,以允许端口27019上的传入和传出连接,以便连接到其他配置服务器。
iptables -A INPUT -s <ip-address> -p tcp --destination-port 27019 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -d <ip-address> -p tcp --source-port 27019 -m state --state ESTABLISHED -j ACCEPT
Replace 用提供配置服务器的所有<ip-address> with the address or address space of all the mongod that provide config servers.mongod的地址或地址空间替换<ip-address>。
Additionally, config servers need to allow incoming connections from all of the 此外,配置服务器需要允许来自集群中所有mongos instances in the cluster and all mongod instances in the cluster. mongos实例和集群中所有mongod实例的传入连接。Add rules that resemble the following:添加类似于以下内容的规则:
iptables -A INPUT -s <ip-address> -p tcp --destination-port 27019 -m state --state NEW,ESTABLISHED -j ACCEPT
Replace 用<ip-address> with the address of the mongos instances and the shard mongod instances.mongos实例和shard-mongod实例的地址替换<ip-address>。
Shard servers default to port number 分片服务器默认为端口号27018. 27018。You must configure the following 您必须配置以下iptables rules to allow traffic to and from each shard:iptables规则以允许进出每个分片的流量:
iptables -A INPUT -s <ip-address> -p tcp --destination-port 27018 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -d <ip-address> -p tcp --source-port 27018 -m state --state ESTABLISHED -j ACCEPT
Replace the 用所有<ip-address> specification with the IP address of all mongod. mongod的ip地址替换<ip-address>规范。This allows you to permit incoming and outgoing traffic between all shards including constituent replica set members, to:这允许您允许所有分片(包括组成副本集成员)之间的传入和传出流量:
mongod instances in the shard's replica sets.mongod实例。mongod instances in other shards. mongod实例。[1]Furthermore, shards need to be able make outgoing connections to:此外,分片需要能够向外连接到:
mongod instances in the config servers.mongod实例。Create a rule that resembles the following, and replace the 创建一个类似于以下内容的规则,并用配置服务器和<ip-address> with the address of the config servers and the mongos instances:mongos实例的地址替换<ip-address>:
iptables -A OUTPUT -d <ip-address> -p tcp --source-port 27018 -m state --state ESTABLISHED -j ACCEPT
| [1] | |
The mongostat diagnostic tool, when running with the --discover needs to be able to reach all components of a cluster, including the config servers, the shard servers, and the mongos instances.mongostat诊断工具在使用--discover运行时,需要能够访问集群的所有组件,包括配置服务器、分片服务器和mongos实例。
Changed in version 3.6.在版本3.6中更改。
DROPDROPThe default policy for iptables chains is to allow all traffic. iptables链的默认策略是允许所有流量。After completing all 在完成所有iptables configuration changes, you must change the default policy to DROP so that all traffic that isn't explicitly allowed as above will not be able to reach components of the MongoDB deployment. iptables配置更改后,您必须将默认策略更改为DROP,以便所有未明确允许的流量都无法到达MongoDB部署的组件。Issue the following commands to change this policy:发出以下命令以更改此策略:
iptables -P INPUT DROP iptables -P OUTPUT DROP
iptables Configurationiptables配置This section contains a number of basic operations for managing and using 本节包含许多管理和使用iptables. iptables的基本操作。There are various front end tools that automate some aspects of 有各种前端工具可以自动化iptables configuration, but at the core all iptables front ends provide the same basic functionality:iptables配置的某些方面,但在核心上,所有iptables前端都提供相同的基本功能:
iptables Rules Persistentiptables规则持久化By default all 默认情况下,所有iptables rules are only stored in memory. iptables规则都只存储在内存中。When your system restarts, your firewall rules will revert to their defaults. 当系统重新启动时,防火墙规则将恢复为默认值。When you have tested a rule set and have guaranteed that it effectively controls traffic you can use the following operations to you should make the rule set persistent.当您测试了一个规则集并保证它能够有效地控制流量时,您可以使用以下操作来保持规则集的持久性。
On Red Hat Enterprise Linux, Fedora Linux, and related distributions you can issue the following command:在Red Hat Enterprise Linux、Fedora Linux和相关发行版上,您可以发出以下命令:
service iptables save
On Debian, Ubuntu, and related distributions, you can use the following command to dump the 在Debian、Ubuntu和相关发行版上,可以使用以下命令将iptables rules to the /etc/iptables.conf file:iptables规则转储到/etc/iptables.conf文件中:
iptables-save > /etc/iptables.conf
Run the following operation to restore the network rules:运行以下操作以还原网络规则:
iptables-restore < /etc/iptables.conf
Place this command in your 将此命令放在rc.local file, or in the /etc/network/if-up.d/iptables file with other similar operations.rc.local文件或/etc/network/if-up.d/iptables文件中,并执行其他类似操作。
iptables Rulesiptables规则To list all of currently applied 要列出所有当前应用的iptables rules, use the following operation at the system shell.iptables规则,请在系统shell中使用以下操作。
iptables -L
iptables Rulesiptables规则If you make a configuration mistake when entering 如果在输入iptables rules or simply need to revert to the default rule set, you can use the following operation at the system shell to flush all rules:iptables规则时出现配置错误,或者只需要恢复到默认规则集,则可以在系统shell中使用以下操作刷新所有规则:
iptables -F
If you've already made your 如果已经使iptables rules persistent, you will need to repeat the appropriate procedure in the Make all iptables Rules Persistent section.iptables规则持久化,则需要重复“使所有iptables的规则持久化”部分中的相应过程。