Update documentation to block access to couchdb
I tried the instructions from https://leap.se/en/docs/platform/services/couchdb#migrating-from-bigcouch-to-plain-couchdb to block access to couchdb before running a backup script. It doesn't work. I still can access couchdb. I'm using a singlenode mx server.
root@dev1:/var/lib# iptables -A INPUT -p tcp --dport 5984 --jump REJECT root@dev1:/var/lib# curl localhost:5984 curl: (7) Failed to connect to localhost port 5984: Connection refused root@dev1:/var/lib# systemctl start couchdb root@dev1:/var/lib# curl localhost:5984 {"couchdb":"Welcome","uuid":"f4783637c7e511a6555b608a27e64a2f","version":"1.6.0","vendor":{"version":"1.6.0","name":"The Apache Software Foundation"}} root@dev1:~# iptables -nL Chain INPUT (policy DROP) target prot opt source destination net2fw all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Drop all -- 0.0.0.0/0 0.0.0.0/0 DROP all -- 0.0.0.0/0 0.0.0.0/0 REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5984 reject-with icmp-port-unreachable Chain FORWARD (policy DROP) target prot opt source destination Drop all -- 0.0.0.0/0 0.0.0.0/0 DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy DROP) target prot opt source destination fw2net all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain Broadcast (1 references) target prot opt source destination DROP all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST DROP all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST DROP all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type ANYCAST Chain Drop (3 references) target prot opt source destination all -- 0.0.0.0/0 0.0.0.0/0 Broadcast all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 3 code 4 /* Needed ICMP types */ ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 11 /* Needed ICMP types */ DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID DROP udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 135,445 /* SMB */ DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 /* SMB */ DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:65535 /* SMB */ DROP tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 135,139,445 /* SMB */ DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 /* UPnP */ DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 /* Late DNS Replies */ Chain blacklst (1 references) target prot opt source destination Chain dynamic (1 references) target prot opt source destination Chain fw2net (1 references) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 /* Ping */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 /* SMTP */ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain logdrop (0 references) target prot opt source destination DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain logflags (5 references) target prot opt source destination LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 4 level 6 prefix "Shorewall:logflags:DROP:" DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain logreject (0 references) target prot opt source destination reject all -- 0.0.0.0/0 0.0.0.0/0 Chain net2fw (1 references) target prot opt source destination blacklst all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED dynamic all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED smurfs all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED tcpflags tcp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 /* Ping */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 /* HTTP */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 /* HTTPS */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587 /* leap_mx */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:6425 /* nickserver */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 /* pixelated_user_agent */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2323 /* leap_soledad */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 /* leap_sshd */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:15984 /* stunnel_server_couch_server */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4430 /* leap_webapp_api */ Drop all -- 0.0.0.0/0 0.0.0.0/0 DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain reject (1 references) target prot opt source destination DROP all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match src-type BROADCAST DROP all -- 224.0.0.0/4 0.0.0.0/0 DROP 2 -- 0.0.0.0/0 0.0.0.0/0 REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset REJECT udp -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable REJECT icmp -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain shorewall (0 references) target prot opt source destination all -- 0.0.0.0/0 0.0.0.0/0 recent: SET name: %CURRENTTIME side: source mask: 255.255.255.255 Chain smurflog (2 references) target prot opt source destination LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:smurfs:DROP:" DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain smurfs (1 references) target prot opt source destination RETURN all -- 0.0.0.0 0.0.0.0/0 smurflog all -- 0.0.0.0/0 0.0.0.0/0 [goto] ADDRTYPE match src-type BROADCAST smurflog all -- 224.0.0.0/4 0.0.0.0/0 [goto] Chain tcpflags (1 references) target prot opt source destination logflags tcp -- 0.0.0.0/0 0.0.0.0/0 [goto] tcp flags:0x3F/0x29 logflags tcp -- 0.0.0.0/0 0.0.0.0/0 [goto] tcp flags:0x3F/0x00 logflags tcp -- 0.0.0.0/0 0.0.0.0/0 [goto] tcp flags:0x06/0x06 logflags tcp -- 0.0.0.0/0 0.0.0.0/0 [goto] tcp flags:0x03/0x03 logflags tcp -- 0.0.0.0/0 0.0.0.0/0 [goto] tcp spt:0 flags:0x17/0x02
(from redmine: created on 2016-08-17)