memcached and iptables

Question

$m = new Memcached();
$m->addServer('localhost', 11211);

Will port 11211 need to be open in IPTables for this to work, or is it bypassed considering it's localhost?

sudo iptables -L -n -v output

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
1155K   95M ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
8817K 1451M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
  183 10452 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:6685 
 574K   30M ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 
  122  7232 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:21 
 2649  154K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 8343K packets, 12G bytes)
 pkts bytes target     prot opt in     out     source               destination         
    6  2524 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:20

Depends on what you already have in your iptables configuration. On most distros everything is open by default. If you post the output of 'iptables -L' on your system I can tell you more. — dfranke, Nov 12 '10 at 21:01

score 1 · Accepted Answer · answered Nov 13 '10 at 07:48

What everyone else has noted about default installs is fairly true, though most eg CentOS systems have come out of the box running a basic firewall for some time now. But even a basic firewall will normally allow all connections from localhost to localhost, as is it extremely unwise to forbid these; the oddest things can start happening. If there's a line near the top of your INPUT chain (or any chain to which INPUT delegates the bulk of its work) that says

iptables -A INPUT -i lo -j ACCEPT

or in iptables -L -n -v format,

  840 97979 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0

(never mind the first two fields, they're packet and byte counts and yours would of course be different) then you're probably OK. Another good test is to do

telnet localhost 11211

if you get

Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).

then you know your listener's running and the firewall's not blocking it. Failing that, give us your iptables -L -n -v and your netstat -an outputs, as the others suggest, so we can take a look.

if I know that I can access MySQL via "localhost" then I should be fine.... right? — Ben, Nov 17 '10 at 03:27
i don't see that that has much to do with the situation; mysql as a service normally runs on port 3306. the telnet test is fairly definitive, and cheap to do; why would you not do it? — MadHatter, Nov 22 '10 at 14:19
The telnet test was indeed met with "connection refused"..... `netstat-an` is a VERY long list of items... — Ben, Nov 30 '10 at 16:45

score 0 · Answer 2 · answered Nov 13 '10 at 03:12

This depends on your install/distro. The base install of pretty much everything should be open. As dfranke pointed out you can list iptables entries with 'iptables -L'. I can tell you that with a base install of Ubuntu, Debian and CentOS I've not had to do anything other than just install memcached to have it run and be open.

memcached and iptables

2 Answers2