MongoDB Allow remote access

In this tutorial, we will show you how to enable remote access to a MongoDB server. Here is the tested environment :

1. MongoDB Server

• Private IP – 192.168.161.100
• Public IP – 45.56.65.100
• MongoDB 2.6.3, port 27017
• IpTables Firewall

2. Application Server (Same LAN network)

• Private IP – 192.168.161.200
• Public IP – irrelevant

3. Developers at home (Different LAN network, WAN)

• Public IP – 10.0.0.1

P.S By default, MongoDB doesn’t allow remote connections.

1. Bind IP

$ vim /etc/mongod.conf
# /etc/mongod.conf
# Listen to local interface only. Comment out to listen on all interfaces.
bind_ip = 127.0.0.1

By default, MongoDB bind to local interface only, it will restrict the remote connections. If you don’t care about security, just comment out to accept any remote connections (NOT Recommend).

1.1 To allow LAN connections from Application Server.
Since both are in the same LAN network, you just need to bind MongoDB to its own private IP interface.

$ vim /etc/mongod.conf
# /etc/mongod.conf
# Listen to local and LAN interfaces.
bind_ip = 127.0.0.1,192.168.161.100

Default – Connection Fail

AS (192.168.161.200) <-- LAN --> MongoDB(192.168.161.100) <--> bind_ip (127.0.0.1)

Now – Connection Success

AS (192.168.161.200) <-- LAN --> MongoDB(192.168.161.100) <--> bind_ip (192.168.161.100, 127.0.0.1)

1.2 To allow remote access for developers at home.
Developers will remote access via MongoDB public IP 45.56.65.100, to allow this, bind the public ip interface as well.

$ vim /etc/mongod.conf
# /etc/mongod.conf
# Listen to local, LAN and Public interfaces.
bind_ip = 127.0.0.1,192.168.161.100,45.56.65.100

Restart MongoDB to take effect.

$ sudo service mongod restart
[ ok ] Restarting database: mongod.

2. IpTables Firewall

If you have firewall, allow connections on port 27017, MongoDB default port.

2.1 Any connections can connect to MongoDB on port 27017

iptables -A INPUT -p tcp --dport 27017 -j ACCEPT

2.2 Only certain IP can connect to MongoDB on port 27017

iptables -A INPUT -s <ip-address> -p tcp --destination-port 27017 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -d <ip-address> -p tcp --source-port 27017 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -s 192.168.161.200 -p tcp --destination-port 27017 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -d 192.168.161.200 -p tcp --source-port 27017 -m state --state ESTABLISHED -j ACCEPT

2.3 Here is the firewall rules using in one of my MongoDB servers.

*filter
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -j ACCEPT
#  Allow HTTP and HTTPS connections from anywhere
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp --dport 27017 -j ACCEPT
#-A INPUT -s <ip address> -p tcp --destination-port 27017 -m state --state NEW,ESTABLISHED -j ACCEPT
#-A OUTPUT -d <ip address> -p tcp --source-port 27017 -m state --state ESTABLISHED -j ACCEPT
#  Allow SSH connections
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
#  Allow ping
-A INPUT -p icmp -j ACCEPT
#  Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Drop incoming connections if IP make more than 15 connection attempts to port 80 within 60 seconds
-A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
-A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds 60  --hitcount 15 -j DROP
#  Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP
COMMIT

Update the iptables rules

sudo vim /etc/iptables.firewall.rules
sudo iptables-restore < /etc/iptables.firewall.rules

References

1. MongoDB - Configuration File Options
2. Configure Linux iptables Firewall for MongoDB
3. Ubuntu : IptablesHowTo
4. Linode - Securing Your Server