BestHub
Sign in
Information Security 5 min read

Implementing Network ACL for Memcached Using iptables

This article explains how to use Linux iptables to create network-level ACLs that block non-production IP ranges from accessing a Memcached server, providing command examples for adding, listing, and clearing firewall rules, and discusses future considerations such as IPv6 support.

Qunar Tech Salon
Qunar Tech Salon
Qunar Tech Salon
Implementing Network ACL for Memcached Using iptables

Introduction

Solving problems can take many paths; the author prefers using built-in system tools as “Swiss army knives” rather than IDE shortcuts.

Requirement

Memcached lacks built-in ACL, leading developers to accidentally connect development environments to production, causing data pollution. Various solutions exist, but the author advocates a simple network-level rule using iptables to block unwanted access.

Analysis

The simplest ACL is to reject traffic at the network layer; on Linux the iptables command is the natural choice.

iptables Settings

To allow only the production subnet (e.g., 10.6.0.0/16) to reach the Memcached port (11211) and reject everything else, run:

# iptables -A INPUT -p tcp -s 10.6.0.0/16 --dport 11211 -j ACCEPT
# iptables -A INPUT -p tcp --dport 11211 -j REJECT

Supplement

In a real environment you may edit the firewall file directly, for example:

*filter
……
-A INPUT -j dujiape_input
-A dujiape_input -i lo -j ACCEPT
-A dujiape_input -s 10.0.0.0/16 -m state --state NEW -j ACCEPT
…………
-A dujiape_input -p tcp --dport 11211 -m state --state NEW -j DROP
-A dujiape_input -j ACCEPT
COMMIT

Clear Rules

To flush all iptables rules: iptables -F If other rules exist, copy them before flushing and restore them afterward.

List Rules

To view current firewall rules:

iptalbes -L

Postscript

iptables will likely be used for a few more years, but with IPv6 adoption the future command may be ip (8), which supports both IPv4 and IPv6.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

Linuxnetwork securityiptablesACLMemcached
Qunar Tech Salon
Written by

Qunar Tech Salon

Qunar Tech Salon is a learning and exchange platform for Qunar engineers and industry peers. We share cutting-edge technology trends and topics, providing a free platform for mid-to-senior technical professionals to exchange and learn.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment