Blog Post

IPTables Firewall Settings for Couchbase DB and Couchbase Mobile Sync_gateway

Kirk Kirkconnell of Couchbase Published

It is all too common for people to just turn off IPtables instead of actually figuring out what ports to open. I have to admit I have done it myself. Well we need to stop that. IPtables is our friend, really. To that end, here is the body of a script you can use to configure IPtables.

# Couchbase DB Server Ports
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 4369 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 8091 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 8092 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 11209 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 11210 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 11211 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 11214 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 11215 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 18091 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 18092 -j ACCEPT

iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 21100:21199 -j ACCEPT
 

# Couchbase sync_gateway ports
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 4984 -j ACCEPT

# If you want to open the sync_gateway service's admin interface to outside traffic:
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 4985 -j ACCEPT

# When you are done adding those, you want to run the following two commands to make sure the REJECT is
at the end of the chain. Otherwise things will not work. The first one deletes it and the second adds it back in.
# The reason for this is otherwise we have to get into line numbers of the chain and that is harder to explain
if you are not familiar with IPTables.

iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited???

 

Check to make sure they are all in correctly by running as root `iptables --list`. It should look something like this:

# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:epmd 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:jamlink 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:8092 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:11209 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:11210 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:memcache 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:11214 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:11215 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:18091 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:18092 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:webyast
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Just remember to save this config once you have it in place (`service iptables save`). Also, you need to confirm that the REJECT for the INPUT chain is at the end. Otherwise you will reject any traffic to ports listed below that REJECT.

Just remember that this is local server security only! It does NOT take the place of a network firewall or AWS security groups/network ACLs. You really should use both.

If you would like more information on network ports, please see the Couchbase Admin documentation or the Couchbase mobile documentation.

There are no warranties, expressly or implied in this blog post, for IPTables or these settings. You have to do your own due dilligence when it comes to your system's security. So use good sense here, please.