It is all too common for people to just turn off IPtables instead of actually figuring out what ports to open. I have to admit I have done it myself. Well we need to stop that. IPtables is ourĀ friend, really. To that end, here is the body of a script you can use to configure IPtables.

# Couchbase DB Server Ports
iptables -A INPUT -p tcp -m state –state NEW -m tcp –dport 4369 -j ACCEPT
iptables -A INPUT -p tcp -m state –state NEW -m tcp –dport 8091 -j ACCEPT
iptables -A INPUT -p tcp -m state –state NEW -m tcp –dport 8092 -j ACCEPT
iptables -A INPUT -p tcp -m state –state NEW -m tcp –dport 11209 -j ACCEPT
iptables -A INPUT -p tcp -m state –state NEW -m tcp –dport 11210 -j ACCEPT
iptables -A INPUT -p tcp -m state –state NEW -m tcp –dport 11211 -j ACCEPT
iptables -A INPUT -p tcp -m state –state NEW -m tcp –dport 11214 -j ACCEPT
iptables -A INPUT -p tcp -m state –state NEW -m tcp –dport 11215 -j ACCEPT
iptables -A INPUT -p tcp -m state –state NEW -m tcp –dport 18091 -j ACCEPT
iptables -A INPUT -p tcp -m state –state NEW -m tcp –dport 18092 -j ACCEPT
iptables -A INPUT -p tcp -m state –state NEW -m tcp –dport 21100:21199 -j ACCEPT
Ā 

# Couchbase sync_gateway ports
iptables -A INPUT -p tcp -m state –state NEW -m tcp –dport 4984 -j ACCEPT

# If you want to open the sync_gateway service's admin interface to outside traffic:
iptables -A INPUT -p tcp -m state –state NEW -m tcp –dport 4985 -j ACCEPT

# When you are done adding those, you want to run the following two commands to make sure the REJECT is
#Ā at the end of the chain. Otherwise things will not work. The first one deletes it and the second adds it back in.
# The reason for this is otherwise we have to get into line numbers of the chain and that is harder to explain
#Ā if you are not familiar with IPTables.

iptables -D INPUT -j REJECT –reject-with icmp-host-prohibited
iptables -A INPUT -j REJECT –reject-with icmp-host-prohibited???
Ā 

Check to make sure they are all in correctly by running as root iptables --list. It should look something like this:

# iptables –list
Chain INPUT (policy ACCEPT)
target Ā  Ā  prot opt source Ā  Ā  Ā  Ā  Ā  Ā  Ā  destination Ā  Ā  Ā  Ā Ā 
ACCEPT Ā  Ā  all Ā — Ā anywhere Ā  Ā  Ā  Ā  Ā  Ā  anywhere Ā  Ā  Ā  Ā  Ā  Ā state RELATED,ESTABLISHEDĀ 
ACCEPT Ā  Ā  icmp — Ā anywhere Ā  Ā  Ā  Ā  Ā  Ā  anywhere Ā  Ā  Ā  Ā  Ā  Ā 
ACCEPT Ā  Ā  all Ā — Ā anywhere Ā  Ā  Ā  Ā  Ā  Ā  anywhere Ā  Ā  Ā  Ā  Ā  Ā 
ACCEPT Ā  Ā  tcp Ā — Ā anywhere Ā  Ā  Ā  Ā  Ā  Ā  anywhere Ā  Ā  Ā  Ā  Ā  Ā state NEW tcp dpt:sshĀ 
ACCEPT Ā  Ā  tcp Ā — Ā anywhere Ā  Ā  Ā  Ā  Ā  Ā  anywhere Ā  Ā  Ā  Ā  Ā  Ā state NEW tcp dpt:epmdĀ 
ACCEPT Ā  Ā  tcp Ā — Ā anywhere Ā  Ā  Ā  Ā  Ā  Ā  anywhere Ā  Ā  Ā  Ā  Ā  Ā state NEW tcp dpt:jamlinkĀ 
ACCEPT Ā  Ā  tcp Ā — Ā anywhere Ā  Ā  Ā  Ā  Ā  Ā  anywhere Ā  Ā  Ā  Ā  Ā  Ā state NEW tcp dpt:8092Ā 
ACCEPT Ā  Ā  tcp Ā — Ā anywhere Ā  Ā  Ā  Ā  Ā  Ā  anywhere Ā  Ā  Ā  Ā  Ā  Ā state NEW tcp dpt:11209Ā 
ACCEPT Ā  Ā  tcp Ā — Ā anywhere Ā  Ā  Ā  Ā  Ā  Ā  anywhere Ā  Ā  Ā  Ā  Ā  Ā state NEW tcp dpt:11210Ā 
ACCEPT Ā  Ā  tcp Ā — Ā anywhere Ā  Ā  Ā  Ā  Ā  Ā  anywhere Ā  Ā  Ā  Ā  Ā  Ā state NEW tcp dpt:memcacheĀ 
ACCEPT Ā  Ā  tcp Ā — Ā anywhere Ā  Ā  Ā  Ā  Ā  Ā  anywhere Ā  Ā  Ā  Ā  Ā  Ā state NEW tcp dpt:11214Ā 
ACCEPT Ā  Ā  tcp Ā — Ā anywhere Ā  Ā  Ā  Ā  Ā  Ā  anywhere Ā  Ā  Ā  Ā  Ā  Ā state NEW tcp dpt:11215Ā 
ACCEPT Ā  Ā  tcp Ā — Ā anywhere Ā  Ā  Ā  Ā  Ā  Ā  anywhere Ā  Ā  Ā  Ā  Ā  Ā state NEW tcp dpt:18091Ā 
ACCEPT Ā  Ā  tcp Ā — Ā anywhere Ā  Ā  Ā  Ā  Ā  Ā  anywhere Ā  Ā  Ā  Ā  Ā  Ā state NEW tcp dpt:18092Ā 
ACCEPT Ā  Ā  tcp Ā — Ā anywhere Ā  Ā  Ā  Ā  Ā  Ā  anywhere Ā  Ā  Ā  Ā  Ā  Ā state NEW tcp dpt:webyast
REJECT Ā  Ā  all Ā — Ā anywhere Ā  Ā  Ā  Ā  Ā  Ā  anywhere Ā  Ā  Ā  Ā  Ā  Ā reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target Ā  Ā  prot opt source Ā  Ā  Ā  Ā  Ā  Ā  Ā  destination Ā  Ā  Ā  Ā Ā 
REJECT Ā  Ā  all Ā — Ā anywhere Ā  Ā  Ā  Ā  Ā  Ā  anywhere Ā  Ā  Ā  Ā  Ā  Ā reject-with icmp-host-prohibitedĀ 

Chain OUTPUT (policy ACCEPT)
target Ā  Ā  prot opt source Ā  Ā  Ā  Ā  Ā  Ā  Ā  destination

Just remember to save this config once you have it in place (service iptables save). Also, you needĀ to confirm that the REJECT for the INPUT chain is at the end. Otherwise you will reject any traffic to portsĀ listed below that REJECT.

Just remember that this is local server security only! It does NOT take the place of a network firewall or AWS security groups/networkĀ ACLs. You really should use both.

If you would like more information on network ports, please see theĀ Couchbase Admin documentationĀ or the Couchbase mobile documentation.

There are no warranties, expressly or implied in this blog post, for IPTables or these settings. You have to do your own due dilligence when it comes to your system's security. So use good sense here, please.

Author

Posted by Kirk Kirkconnell, Senior Solutions Engineer, Couchbase

Kirk Kirkconnell was a Senior Solutions Engineer at Couchbase working with customers in multiple capacities to assist them in architecting, deploying, and managing Couchbase. His expertise is in operations, hosting, and support of large-scale application and database infrastructures.

All Posts

One Comment

  1. morganh February 8, 2021 at 12:27 pm

    What would the scripts be for Windows Server?
    Thanks

Leave a reply