pythonjupyter-notebookjupyterfirewalliptables

iptables rules for jupyter notebook


having trouble with the iptables setting for jupyter notebook. with the following rules (assume notebook port 8888), jupyter notebook server would be launched successfully, but the actual notebook kernel would fail to start/establish.

by commenting out the last iptables rule "-A OUTPUT -j DROP", everything works fine.

any thoughts?

-A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 8888 -j ACCEPT
-A INPUT -p tcp -m state --state ESTABLISHED --sport 8888 -j ACCEPT
-A OUTPUT -p tcp -m state --state ESTABLISHED --sport 8888 -j ACCEPT 
-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 8888 -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -j DROP

Solution

  • Often tools like jupyter use the loopback device (localhost) to access certain features. For example, jupyter has a frontend that communicates over HTTP with the notebook server, which sends messages via sockets to the IPython Kernel (see: https://jupyter.readthedocs.io/en/latest/architecture/how_jupyter_ipython_work.html).

    I would add the following rules:

    sudo iptables -A INPUT -i lo -j ACCEPT
    sudo iptables -A OUTPUT -o lo -j ACCEPT
    

    These rules allow input and output to and from the loopback device (localhost).