Main Tutorials

MongoDB – Allow remote access

In this tutorial, we will show you how to enable remote access to a MongoDB server. Here is the tested environment :

1. MongoDB Server

  • Private IP – 192.168.161.100
  • Public IP – 45.56.65.100
  • MongoDB 2.6.3, port 27017
  • IpTables Firewall

2. Application Server (Same LAN network)

  • Private IP – 192.168.161.200
  • Public IP – irrelevant

3. Developers at home (Different LAN network, WAN)

  • Public IP – 10.0.0.1

P.S By default, MongoDB doesn’t allow remote connections.

1. Bind IP


$ vim /etc/mongod.conf

# /etc/mongod.conf

# Listen to local interface only. Comment out to listen on all interfaces.
bind_ip = 127.0.0.1

By default, MongoDB bind to local interface only, it will restrict the remote connections. If you don’t care about security, just comment out to accept any remote connections (NOT Recommend).

1.1 To allow LAN connections from Application Server.
Since both are in the same LAN network, you just need to bind MongoDB to its own private IP interface.


$ vim /etc/mongod.conf

# /etc/mongod.conf

# Listen to local and LAN interfaces.
bind_ip = 127.0.0.1,192.168.161.100
Common Mistake
Don’t put the Application Server IP in bind_ip option. This bind_ip option tells MongoDB to accept connections from which local network interfaces, not which “remote IP address”.

Default – Connection Fail


AS (192.168.161.200) <-- LAN --> MongoDB(192.168.161.100) <--> bind_ip (127.0.0.1)

Now – Connection Success


AS (192.168.161.200) <-- LAN --> MongoDB(192.168.161.100) <--> bind_ip (192.168.161.100, 127.0.0.1)

1.2 To allow remote access for developers at home.
Developers will remote access via MongoDB public IP 45.56.65.100, to allow this, bind the public ip interface as well.


$ vim /etc/mongod.conf

# /etc/mongod.conf

# Listen to local, LAN and Public interfaces.
bind_ip = 127.0.0.1,192.168.161.100,45.56.65.100
Note
For developers at home, it’s recommended to set up a VPN connection, instead of open up the MongoDB public IP connection, it is vulnerable to people attack.

Restart MongoDB to take effect.


$ sudo service mongod restart
[ ok ] Restarting database: mongod.

2. IpTables Firewall

If you have firewall, allow connections on port 27017, MongoDB default port.

2.1 Any connections can connect to MongoDB on port 27017


iptables -A INPUT -p tcp --dport 27017 -j ACCEPT

2.2 Only certain IP can connect to MongoDB on port 27017


iptables -A INPUT -s <ip-address> -p tcp --destination-port 27017 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -d <ip-address> -p tcp --source-port 27017 -m state --state ESTABLISHED -j ACCEPT

iptables -A INPUT -s 192.168.161.200 -p tcp --destination-port 27017 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -d 192.168.161.200 -p tcp --source-port 27017 -m state --state ESTABLISHED -j ACCEPT
Note
Consult this MongoDB firewall documentation

2.3 Here is the firewall rules using in one of my MongoDB servers.

/etc/iptables.firewall.rules

*filter

-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -j ACCEPT

#  Allow HTTP and HTTPS connections from anywhere
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp --dport 27017 -j ACCEPT

#-A INPUT -s <ip address> -p tcp --destination-port 27017 -m state --state NEW,ESTABLISHED -j ACCEPT
#-A OUTPUT -d <ip address> -p tcp --source-port 27017 -m state --state ESTABLISHED -j ACCEPT

#  Allow SSH connections
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

#  Allow ping
-A INPUT -p icmp -j ACCEPT

#  Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Drop incoming connections if IP make more than 15 connection attempts to port 80 within 60 seconds
-A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
-A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds 60  --hitcount 15 -j DROP

#  Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP

COMMIT

Update the iptables rules


sudo vim /etc/iptables.firewall.rules
sudo iptables-restore < /etc/iptables.firewall.rules

References

  1. MongoDB – Configuration File Options
  2. Configure Linux iptables Firewall for MongoDB
  3. Ubuntu : IptablesHowTo
  4. Linode – Securing Your Server

About Author

author image
Founder of Mkyong.com, love Java and open source stuff. Follow him on Twitter. If you like my tutorials, consider make a donation to these charities.

Comments

Subscribe
Notify of
15 Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
MariaJose
3 years ago

helow its me

Yuzhen Wang
5 years ago

Alternatively, set net.bindIp to ::,0.0.0.0 to bind to all IP addresses.
bind all ips outdated when I comment on this. use above ,check this out :https://docs.mongodb.com/manual/reference/configuration-options/#net.bindIp

jeff
6 years ago

mkyoung is the absolute man

recito
11 months ago

i have bind the public IP and it can accessed from my local machine, but it cannot accessed from in the remote server using ubuntu 18.0.4 is there any opinion about this? been stuck, help

rajesh Shrimali
2 years ago

The public IP u mentioned in the config file will generate the error, mongo can run on a private port and you provided a public, he ce it will not even start.

Shrikar P
2 years ago

Even I’m getting error as the requested address is not valid in its context when I try to bind the public IP address.

yehuda
4 years ago

I tried various things attempting to publicly accessible from aws ec2. I know i have no firewall, but i cant get it working using the ip i use to ssh into it. ive tried starting meteor with different environment vars like
METEOR_MONGO_BIND_IP=3.209.x.x,127.0.0.1

Neha
4 years ago

“sudo mongod –bind_ip 0.0.0.0” solved problem for me. Thanks

billa
5 years ago

commenting the* bind_ip didn’t work for me.
But adding the Server IP did. On mongo v4.0.2

Thanks a lot!

marc
7 years ago

If using an SSH tunnel, does the bindip also have to be changed ?

Alastair Gilfillan
7 years ago
Reply to  marc

If you’re using an SSH tunnel then you shouldn’t have to change anything, just connect to localhost or 127.0.0.1

Arthur
8 years ago

Sometimes, the server needs to be rebooted for the change to take effect.

Alexander Yau
7 years ago
Reply to  Arthur

Yes, mongodb must restart.

lapsus63
8 years ago

In Yaml configuration file, bindIp is into the “net” section (without underscore) :
net :
bindIp: 127.0.0.1,192.168.161.100

Be care not to insert any space around the coma around the IPs, or you’ll get an error.

mkyong
8 years ago
Reply to  lapsus63

Thanks for your input.