A newer version of this documentation is available.

View Latest

IP Tables and Ports

Security outside Couchbase Server involves the configuration of IP tables and ports.

Security best practices include encrypting certain data locations using transparent data encryption technologies. These technologies are offered by 3rd party on-disk encryption software vendors, such as Vormetric. To see more details, see the webinar provided at Understanding Database Encryption with Couchbase and Vormetric.

  • Data and index file path (the default data path on Linux) at /opt/couchbase/var/lib/couchbase/data.

  • Tools path at /opt/couchbase/bin/.

  • Password files at /opt/couchbase/var/lib/couchbase/isasl.pw and /opt/couchbase/var/lib/config/.

For additional security:

  • Allow administrative access to Couchbase Server only through specific machines, e.g., jump servers. To audit access, turn on OS level auditing on these machines.

  • Use IPSec on your local network.

    Here are some of the good online sources about IPSec and its configuration:

Configuring IP Tables and Ports

To configure IP tables for Linux, you have to edit the file located in /etc/sysconfig/iptables as follows:

##allow everyone to access port 80 and 443##
   -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
   -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

Keep in mind that certain Couchbase ports are used for node-to-node and some for node-to-client communication.

For a complete list of Couchbase ports, see Network Configuration.

Table 1. Important Couchbase Ports
Port Description Node to node Node to client

8091

Web administration port

Yes

Yes

8092

Couchbase API port

Yes

Yes

8093

Used by query services for REST/HTTP traffic.

Yes

Yes

11207

Internal/external bucket port for SSL

No

Yes

11209

Internal bucket port

Yes

No

11210

Internal/external bucket port

Yes

Yes

11211

Client interface (proxy)

No

Yes

11214

Incoming SSL proxy

No

No

11215

Internal outgoing SSL proxy

No

No

18091

Internal REST HTTPS for SSL

No

Yes

18092

Internal CAPI HTTPS for SSL

No

Yes

4369

Erlang port mapper (epmd)

Yes

No

21100 to 21199 (inclusive)

Node data exchange

Yes

No

You can find a sample script for configuring the IP tables firewall settings in the following blog posting: IPTables Firewall Settings for Couchbase DB and Couchbase Mobile Sync_gateway