Do NOT Make Database Ports PUBLIC!

Learn what a public port is and why it's a bad idea to make database ports public. We will go over how to block database ports and whitelist IP addresses using firewalls and iptables in a Linux terminal.

Table of Contents 📖

• Public Ports
• Public Ports and Security
• Firewalls and iptables
• Blocking the Postgres Port with iptables
• Whitelisting a Specific IP

Public Ports

A public port is a port that appears on the internet side, making it is accessible to the public. Having certain ports public is necessary for a functioning website. For example, HTTP running on port 80 or HTTPS running on port 443.

Public Ports and Security

As making a port public allows anyone to connect to it, exposing a database port publicly is usually not a good idea. A single bug in the database or a weak password can allow someone to access and query the database. On some Linux distributions port 5432 (the default Postgres port) will be open after installing Postgres, port 3306 (the default MySQL port) will be open after installing MySQL, etc. It is generally a good idea to restrict or block access to these database ports so that they are not publicly accessible.

Firewalls and iptables

One way to block/restrict access to a port is to use a firewall. A firewall is a network security device that monitors and controls network traffic. Firewalls are configured to follow a set of rules. Linux provides us with iptables, a utility command to manage firewalls.

INFO: iptables is an interface to netfilter, a Linux kernel module that allows us to manage network traffic.

Blocking the Postgres Port with iptables

As a demonstration, lets use iptables to block the default Postgres port from the outside world.

iptables -t filter -A INPUT -p tcp --dport 5432 -j DROP

This tells our server to drop any incoming packets to port 5432.

INFO: iptables consists of tables, tables are the name for a set of chains, a chain is a collection of rules, and a rule is a condition placed on packets.

• -t - Specifies the table. Filter is the default table and is used for packet filtering.
• -A - Appends the rule to the end of the chain.
• INPUT - Specifies that this rule is for incoming packets, packets going to our server.
• -p - Specifies the protocol. Can be one of tcp, udp, icmp, or all.
• --dport - Specifies the destination port.
• -j - The action taken if the packet matches the rule. DROP makes the connection appear to be unoccupied.

After running this command, we can list the firewall rules using the following command:

iptables -t filter -L INPUT --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    DROP       tcp  --  anywhere             anywhere          tcp dpt:5432

• -t - Specifies the table. Filter is the default table and is used for packet filtering.
• -L - Lists the rules in the provided chain. Here we specify the INPUT chain.
• --line-numbers - Print the line numbers of the rules.

Now any incoming connections to port 5432 will be dropped.

Whitelisting a Specific IP

If desired, we can whitelist a specific IP adress/range to allow access to a port, just make sure to place the rule before the DROP rule. For example, the following would allow access from x.x.x.x to port 5432 while blocking all other connections.

iptables -t filter -A INPUT -p tcp --dport 5432 -s x.x.x.x -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 5432 -j DROP