Articles

Memcached Firewall: Block Unauthorized Access (2026)

April 18, 2026 4 min read

A firewall blocking unauthorized Memcached access is fundamentally about preventing a remote attacker from hijacking your cache and using it to launch denial-of-service attacks or, worse, execute arbitrary code.

Here’s how to set it up using iptables, assuming your Memcached server is running on 192.168.1.100 and listening on the default port 11211. We’ll allow access from a specific internal subnet, 192.168.1.0/24, and deny everything else.

First, ensure you have iptables installed. On most Linux distributions, it’s available by default.

sudo apt-get update && sudo apt-get install iptables -y
# or
sudo yum update && sudo yum install iptables -y

Now, let’s add the rules. We’ll add these to the INPUT chain, which governs traffic destined for the server itself.

# Allow established and related connections
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Allow loopback traffic (essential for local services)
sudo iptables -A INPUT -i lo -j ACCEPT

# Allow Memcached access from the trusted internal subnet
sudo iptables -A INPUT -p tcp --dport 11211 -s 192.168.1.0/24 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 11211 -s 192.168.1.0/24 -j ACCEPT

# Drop all other Memcached traffic
sudo iptables -A INPUT -p tcp --dport 11211 -j DROP
sudo iptables -A INPUT -p udp --dport 11211 -j DROP

# Set the default policy for other traffic to DROP (optional, but recommended for security)
# Be very careful with this, ensure you have SSH access allowed first!
# sudo iptables -P INPUT DROP

Let’s break down what’s happening:

  • sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT: This is crucial. It allows packets that are part of an existing connection or are related to an existing connection to pass through. Without this, your outgoing responses from Memcached wouldn’t be able to get back to the client.
  • sudo iptables -A INPUT -i lo -j ACCEPT: This allows all traffic on the loopback interface (lo). This is important for any local services that might communicate with Memcached on the same machine.
  • sudo iptables -A INPUT -p tcp --dport 11211 -s 192.168.1.0/24 -j ACCEPT: This is the core rule for allowing Memcached.
    • -A INPUT: Appends the rule to the INPUT chain.
    • -p tcp: Specifies the TCP protocol. Memcached primarily uses TCP.
    • --dport 11211: Matches packets destined for port 11211.
    • -s 192.168.1.0/24: This is the source IP address range. It means only traffic originating from IPs within the 192.168.1.0 to 192.168.1.255 range will be allowed.
    • -j ACCEPT: If all previous conditions match, accept the packet.
  • sudo iptables -A INPUT -p udp --dport 11211 -s 192.168.1.0/24 -j ACCEPT: Memcached can also be configured to use UDP, though it’s less common. This rule mirrors the TCP rule for UDP.
  • sudo iptables -A INPUT -p tcp --dport 11211 -j DROP: This rule acts as a catch-all for TCP traffic to port 11211. Since it comes after the ACCEPT rule for the trusted subnet, it will only match traffic from anywhere else.
    • -j DROP: Silently discard the packet. The sender will not receive any notification that the packet was dropped.
  • sudo iptables -A INPUT -p udp --dport 11211 -j DROP: The UDP equivalent of the DROP rule.

After applying these rules, you should verify that your Memcached clients can still connect.

# From a client machine in 192.168.1.x subnet
telnet 192.168.1.100 11211
# You should see a blank line indicating connection success. Type 'quit' to exit.

# From a client machine *outside* 192.168.1.x subnet (e.g., 10.0.0.5)
telnet 192.168.1.100 11211
# This should hang and eventually time out.

Important: iptables rules are not persistent by default. They will be lost upon reboot. To make them permanent, you need to save them.

On Debian/Ubuntu:

sudo apt-get install iptables-persistent -y
sudo netfilter-persistent save

On RHEL/CentOS/Fedora:

sudo service iptables save
# or
sudo iptables-save > /etc/sysconfig/iptables

Why is this necessary? Memcached, by default, binds to 0.0.0.0, meaning it listens on all network interfaces. It has very little built-in authentication or authorization. If exposed to the internet, an attacker could easily connect, issue commands like flush_all to wipe your cache, or use it as a stepping stone for other attacks by storing malicious data. The firewall is the primary defense layer for restricting access.

If you find that clients within your trusted subnet can’t connect after applying these rules, double-check that your Memcached server’s configuration is indeed listening on 192.168.1.100 or 0.0.0.0 and not a specific IP that your iptables rule doesn’t cover. You can check Memcached’s listening address by looking at its configuration file or by using sudo netstat -tulnp | grep 11211.

The next error you’ll hit is a "Connection refused" if you try to access Memcached from an unauthorized IP, or a "Broken pipe" if your application’s connection is dropped unexpectedly due to a misconfigured firewall rule further down the line.

Want structured learning?

Take the full Memcached course →