WganMe/Server Ports

## Server Ports
#It is all too common for people to just turn off IPtables instead of actually figuring out what ports to open. I have to admit I have done it myself. Well we need to stop that. IPtables is our friend, really. To that end, here is the body of a script you can use to configure IPtables.
# Couchbase DB Server Ports
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 4369 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 8091 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 8092 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 11209 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 11210 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 11211 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 11214 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 11215 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 18091 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 18092 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 21100:21199 -j ACCEPT


# Couchbase sync_gateway ports
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 4984 -j ACCEPT

# If you want to open the sync_gateway service's admin interface to outside traffic:
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 4985 -j ACCEPT

# When you are done adding those, you want to run the following two commands to make sure the REJECT is
# at the end of the chain. Otherwise things will not work. The first one deletes it and the second adds it back in.
# The reason for this is otherwise we have to get into line numbers of the chain and that is harder to explain
# if you are not familiar with IPTables.

#iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
#iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited???


#Check to make sure they are all in correctly by running as root `iptables --list`. It should look something like this:

# iptables --list
#Chain INPUT (policy ACCEPT)
#target     prot opt source               destination
#ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
#ACCEPT     icmp --  anywhere             anywhere
#ACCEPT     all  --  anywhere             anywhere
#ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
#ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:epmd
#ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:jamlink
#ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:8092
#ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:11209
#ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:11210
#ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:memcache
#ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:11214
#ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:11215
#ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:18091
#ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:18092
#ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:webyast
#REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

#Chain FORWARD (policy ACCEPT)
#target     prot opt source               destination
#REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

#Chain OUTPUT (policy ACCEPT)
#target     prot opt source               destination

#Just remember to save this config once you have it in place (`service iptables save`). Also, you need to confirm that the REJECT for the INPUT chain is at the end. Otherwise you will reject any traffic to ports listed below that REJECT.

#Just remember that this is local server security only! It does NOT take the place of a network firewall or AWS security groups/network ACLs. You really should use both.

#If you would like more information on network ports, please see the Couchbase Admin documentation or the Couchbase mobile documentation.

#There are no warranties, expressly or implied in this blog post, for IPTables or these settings. You have to do your own due dilligence when it comes to your system's security. So use good sense here, please.
	#It is all too common for people to just turn off IPtables instead of actually figuring out what ports to open. I have to admit I have done it myself. Well we need to stop that. IPtables is our friend, really. To that end, here is the body of a script you can use to configure IPtables.
	# Couchbase DB Server Ports
	iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 4369 -j ACCEPT
	iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 8091 -j ACCEPT
	iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 8092 -j ACCEPT
	iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 11209 -j ACCEPT
	iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 11210 -j ACCEPT
	iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 11211 -j ACCEPT
	iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 11214 -j ACCEPT
	iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 11215 -j ACCEPT
	iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 18091 -j ACCEPT
	iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 18092 -j ACCEPT
	iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 21100:21199 -j ACCEPT


	# Couchbase sync_gateway ports
	iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 4984 -j ACCEPT

	# If you want to open the sync_gateway service's admin interface to outside traffic:
	iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 4985 -j ACCEPT

	# When you are done adding those, you want to run the following two commands to make sure the REJECT is
	# at the end of the chain. Otherwise things will not work. The first one deletes it and the second adds it back in.
	# The reason for this is otherwise we have to get into line numbers of the chain and that is harder to explain
	# if you are not familiar with IPTables.

	#iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
	#iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited???


	#Check to make sure they are all in correctly by running as root `iptables --list`. It should look something like this:

	# iptables --list
	#Chain INPUT (policy ACCEPT)
	#target prot opt source destination
	#ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
	#ACCEPT icmp -- anywhere anywhere
	#ACCEPT all -- anywhere anywhere
	#ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
	#ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:epmd
	#ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:jamlink
	#ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:8092
	#ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:11209
	#ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:11210
	#ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:memcache
	#ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:11214
	#ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:11215
	#ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:18091
	#ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:18092
	#ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:webyast
	#REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

	#Chain FORWARD (policy ACCEPT)
	#target prot opt source destination
	#REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

	#Chain OUTPUT (policy ACCEPT)
	#target prot opt source destination

	#Just remember to save this config once you have it in place (`service iptables save`). Also, you need to confirm that the REJECT for the INPUT chain is at the end. Otherwise you will reject any traffic to ports listed below that REJECT.

	#Just remember that this is local server security only! It does NOT take the place of a network firewall or AWS security groups/network ACLs. You really should use both.

	#If you would like more information on network ports, please see the Couchbase Admin documentation or the Couchbase mobile documentation.

	#There are no warranties, expressly or implied in this blog post, for IPTables or these settings. You have to do your own due dilligence when it comes to your system's security. So use good sense here, please.