How to Configure RabbitMQ to Listen Only on Localhost (127.0.0.1) for All Ports


2 views

When you install RabbitMQ on a Debian-based system, it typically binds to all available network interfaces (0.0.0.0) for several ports:

# Default ports:
- 5672 (AMQP)
- 4369 (EPMD - Erlang Port Mapper Daemon)
- Random high port (for clustering/distributed Erlang communication)

While setting RABBITMQ_NODE_IP_ADDRESS=127.0.0.1 in /etc/rabbitmq/rabbitmq.conf works for the AMQP port, we need additional measures for complete localhost restriction.

Create or modify /etc/rabbitmq/rabbitmq-env.conf with:

# Force all network communication to localhost
RABBITMQ_NODE_IP_ADDRESS=127.0.0.1
RABBITMQ_DIST_PORT=25672
RABBITMQ_DIST_USE_INTERFACE=127.0.0.1

For the Erlang Port Mapper Daemon (EPMD), create /etc/default/epmd:

# Restrict EPMD to localhost
DAEMON_OPTS="-address 127.0.0.1"

After restarting RabbitMQ (systemctl restart rabbitmq-server), verify with:

sudo lsof -n -a -i -urabbitmq | grep LISTEN

Expected output should show all ports bound to 127.0.0.1 only.

For additional security, consider these iptables rules:

# Allow only localhost to RabbitMQ ports
iptables -A INPUT -p tcp --dport 5672 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 4369 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 25672 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 5672 -j DROP
iptables -A INPUT -p tcp --dport 4369 -j DROP
iptables -A INPUT -p tcp --dport 25672 -j DROP

If clustering stops working after these changes:

# Check Erlang cookie consistency
sudo cat /var/lib/rabbitmq/.erlang.cookie

# Verify cluster communication
sudo rabbitmq-diagnostics status

When installing RabbitMQ on a Debian system, you'll notice the service binds to multiple ports with different behaviors:

# Default binding observation
COMMAND   PID     USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
epmd     7353 rabbitmq    3u  IPv4 1177662      0t0  TCP *:epmd (LISTEN)
beam.smp 7365 rabbitmq   10u  IPv4 1177711      0t0  TCP *:43380 (LISTEN)
beam.smp 7365 rabbitmq   19u  IPv4 1177728      0t0  TCP 127.0.0.1:amqp (LISTEN)

To enforce localhost-only binding across all RabbitMQ components:

1. RabbitMQ Core Configuration

Edit /etc/rabbitmq/rabbitmq.conf:

# Binding to localhost only
listeners.tcp.default = 127.0.0.1:5672
loopback_users.guest = false
cluster_formation.peer_discovery_backend = rabbit_peer_discovery_classic_config
cluster_formation.classic_config.nodes.1 = rabbit@localhost

2. EPMD (Erlang Port Mapper Daemon) Configuration

Create or modify /etc/default/epmd:

# Restrict EPMD to localhost
EPMD_OPTIONS="-address 127.0.0.1"

3. Erlang Kernel Parameters

Add to /etc/rabbitmq/rabbitmq-env.conf:

# Limit distributed Erlang ports
export ERL_EPMD_ADDRESS=127.0.0.1
export RABBITMQ_SERVER_START_ARGS="-proto_dist inet_tcp"
export RABBITMQ_CTL_ERL_ARGS="-proto_dist inet_tcp"

After applying all changes and restarting services:

# Check active listeners
sudo lsof -n -a -i -urabbitmq
ss -tulpn | grep rabbitmq
netstat -tulnp | grep beam

As additional hardening with iptables:

# Allow only localhost connections
iptables -A INPUT -p tcp --dport 5672 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 4369 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 43380 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 5672 -j DROP
iptables -A INPUT -p tcp --dport 4369 -j DROP
iptables -A INPUT -p tcp --dport 43380 -j DROP

For persistent rules on Debian:

sudo apt-get install iptables-persistent
sudo netfilter-persistent save