nftables allow redis only from specific IP addresses

Question

I am configuring a REDIS server and I want to allow connections only from a set of specific IP addresses.

This is a Debian 10 server, and the recommended framework to use is nft, which I haven't used in the past.

The default ruleset is this:

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
        chain input {
                type filter hook input priority 0;
        }
        chain forward {
                type filter hook forward priority 0;
        }
        chain output {
                type filter hook output priority 0;
        }
}

What rule do I need to add in that file to allow incoming connections to redis from IP 1.1.1.1 and 2.2.2.2, dropping everything else?

REDIS is using port 6379.

@A.B same here :) – Miguel Mesquita Alfaiate Dec 23 '19 at 12:24 — Miguel Mesquita Alfaiate, Dec 23 '19 at 12:24

Miguel Mesquita Alfaiate · Accepted Answer · 2019-12-23T11:44:26.743

In case someone else stumbles upon the same issue, my main problem was that I was using rules in the incorrect order.

I was adding a drop rule before the accept rule, and this seems to work the other way around.

This is a sample rule for dropping all IP addresses except 2:

ip saddr 1.1.1.1 tcp dport 6379 accept
ip saddr 2.2.2.2 tcp dport 6379 accept
tcp dport 6379 drop

Complete rules file:

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
        chain input {
                type filter hook input priority 0;
                # allow connection to redis from
                ip saddr 1.1.1.1 tcp dport 6379 accept
                ip saddr 2.2.2.2 tcp dport 6379 accept
                tcp dport 6379 drop
        }
        chain forward {
                type filter hook forward priority 0;
        }
        chain output {
                type filter hook output priority 0;
        }
}

Including how to actually add the rules. Its not as straight forward as this post shows: `sudo nft add rule inet filter input ip saddr 1.1.1.1 tcp dport 6379 accept` `sudo nft add rule inet filter input ip saddr 2.2.2.2 tcp dport 6379 accept` `sudo nft add rule inet filter input tcp dport 6379 drop` — Dave, Oct 07 '22 at 15:13

score -2 · Answer 2 · answered Jun 04 '21 at 22:48

-2

One item would highly recommend is

        chain input {
           type filter hook input priority 0;
           policy drop;
           # required items below
        }

Please note every thing is dropped this is safest way to manage your firewall all things dropped unless explicitly allowed.

answered Jun 04 '21 at 22:48

user476037

1

What about the part where they say "I want to allow connections only from a set of specific IP addresses."? – Jeff Schaller Jun 04 '21 at 23:33
This is just a half-answer that's missing the part *that would actually satisfy the original requirement*. I agree that the principle to drop everything unless explicitly accepted is good, but you should at least provide a complete example. – telcoM Jun 07 '21 at 09:03

nftables allow redis only from specific IP addresses

2 Answers2