I want to block access to port 6379 on my server, but I still want to connect to it internally. The redis-server application runs on that port and I want to connect to it only locally (127.0.0.1). How can I do this?
Asked
Active
Viewed 1.9k times
4 Answers
11
To do this, you need to make sure that your IPTables rules are configured properly. Ubuntu generally leaves their servers wide open by default, which is why I still don't recommend their use as servers unless you are quite well aware of how to do this properly already.
I imagine that your iptables -L -nv looks something like this, yes?
# iptables -L -nv
Chain INPUT (policy ACCEPT 4M packets, 9M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 8M packets, 4M bytes)
pkts bytes target prot opt in out source destination
It's empty and it's wide open. The Ubuntu IPTables HowTo will probably help quite a bit with this. (https://help.ubuntu.com/community/IptablesHowTo)
I recommend something like this, which allow SSH on any interface and tcp 6379 any interface but the one you don't want:
*filter
:INPUT DROP [92:16679]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [203:36556]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -p tcp -m tcp --dport 6379 -j ACCEPT
-A INPUT -i lo -p udp -m udp --dport 6379 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT
COMMIT
You would then save this file in /etc/iptables.rules.
Obviously, any other ports that you specifically want open should be added.
Note: I've added the specific 6379 lines for clarity. The bottom ACCEPT right before the COMMIT would actually allow this because all loopback connections must be allowed on a Linux system for proper operation.
You will also want to put the rules in your /etc/network/interfaces file as well, to ensure that they are added when the interface comes up and not later in the boot process. Adding something like this is recommended:
auto eth0
iface eth0 inet dhcp
pre-up iptables-restore < /etc/iptables.rules
Edit: To load this configuration initially, you need to run the iptables-restore command referenced above:
iptables-restore < /etc/iptables.rules
Magellan
- 4,431
- 3
- 29
- 53
-
I assume this would open the port 6379 to the whole web right? What should I do to make this open only for 127.0.0.1? – Steve Rodrigue Apr 21 '12 at 16:30
-
No, because the default rule is to DROP. If it doesn't have an explicit ACCEPT rule, it's blocked by the default DROP next to :INPUT at the top. – Magellan Apr 21 '12 at 16:31
-
Personally, I think the default ACCEPT rule is just criminal in a "server" deployment. But it's not surprising since Ubuntu is first and foremost a desktop distribution. – Magellan Apr 21 '12 at 16:32
-
Ok, I just did exactly what you requested, but it seems like I can still connect to port 6379 from the outside. Should I reboot the server or something? – Steve Rodrigue Apr 21 '12 at 16:37
-
*facepalm* I guess I left that part out, give me a moment to update. – Magellan Apr 21 '12 at 16:38
-
Ok, keep in mind that this isn't a turnkey solution. If you're running other services on this box such as SSH or the Gnome GUI, you'll need to deal with that as well. – Magellan Apr 21 '12 at 16:40
-
As soon as I can voteup (dont have enough reputation yet), be assured that I will vote you up... greatly appreciated! – Steve Rodrigue Apr 21 '12 at 16:46
-
All things in due time. The best part about ServerFault is that these answers can also help people searching for similar problems on Google. – Magellan Apr 21 '12 at 16:48
-
Typically you would edit /etc/iptables.rules by using iptables-save after configuring your firewall on the command line, and have iptables-save and iptables-restore in your init scripts. This has the advantage of preserving the counters. – Falcon Momot Oct 16 '12 at 05:22
-
1Yes, but I don't really care much about the counters and this works for me. Feel free the edit the answer to fit more rigorous process. – Magellan Oct 16 '12 at 16:18
3
Well, I would suggest to use the "uncomplicated firewall" (ufw), which is also recommended by canonical. Reading and writing iptables is too complicated for just occasional port locking tasks.
mojovski
- 39
- 1
-
1Older versions of UFW did not have the ability to apply rules to selected ports, it was all or nothing. And professional sysadmins should get in the habit of understanding what their iptables settings do and how the chains work. – Magellan Oct 16 '12 at 16:20
2
Something like
iptables -A INPUT -s 0.0.0.0 -i eth0 --protocol tcp --dport 6379 -j DROP
Should work.
Kedare
- 1,766
- 4
- 20
- 36
-
This gives me this error: iptables v1.4.4: unknown option `--dport' – Steve Rodrigue Apr 21 '12 at 15:58
-
Can you retry with the new command ? I added the --protocol and -i part (adapt to your interface), it should now works. – Kedare Apr 21 '12 at 16:03
-
The problem I have with this suggestion is that it doesn't save across reboots unless other required commands are run and it assumes that there's only 1 non-loopback interface. – Magellan Apr 21 '12 at 16:12
-
-
Adrian: you mean that if I reboot the server, that modification would no longer be active? – Steve Rodrigue Apr 21 '12 at 16:33
-
Correct. You would have to add it to one of the startup scripts. That's why I also recommend using the interfaces file over in my answer since there's almost no gap where the ports are unblocked. – Magellan Apr 21 '12 at 16:47
-
-
Why do we assume the name of interface (eth0) as a given? What if it's different or there are several of them? – Gherman Apr 24 '20 at 10:22
