Redis Software Adds iptables Rules for Performance Optimization – Redis Knowledge Base

Redis Software injects specific iptables rules into the raw table at startup to disable connection tracking on key ports for performance optimization.
This behavior improves throughput under load but can affect environments that rely on stateful firewall rules (for example, those matching NEW or ESTABLISHED connection states).

Covered: Quick Reference, iptables Rule Injection Details, View Current Rules, Prevent the Rules from Being Injected, Update Custom Firewall Rules, and Troubleshooting

Quick Reference

Behavior	Impact	Resolution
Disables connection tracking for Redis ports	Stateful iptables rules may not match	Allow `UNTRACKED` state or disable rule injection

Prerequisites

Access to a Redis Software cluster host
Administrative privileges (sudo/root)
Familiarity with iptables or nftables configuration

iptables Rule Injection Details

During startup, the rlec_supervisor (supervisord) service runs:

${sbindir}/systune.sh

This script adds rules to the iptables raw table to disable connection tracking for Redis service ports.
Connection tracking is disabled to reduce kernel overhead and improve performance in high-throughput deployments.

The following ports are affected:

Port Range	Purpose
3333–3339	Internal cluster communication
10000–19999	Redis database endpoints

Injected rules:

-A PREROUTING -p tcp -m tcp --dport 10000:19999 -j CT --notrack
-A PREROUTING -p tcp -m tcp --dport 3333:3339 -j CT --notrack
-A OUTPUT -p tcp -m tcp --sport 10000:19999 -j CT --notrack
-A OUTPUT -p tcp -m tcp --sport 3333:3339 -j CT --notrack

These rules do not appear in the default iptables -L or iptables -S output.

View Current Rules

To view these injected rules, list the raw table directly:

iptables -nvL -t raw

Example output:

Chain PREROUTING (policy ACCEPT)
pkts bytes target  prot opt in out source destination
   0     0 CT      tcp  --  *  *   0.0.0.0/0 0.0.0.0/0 tcp dpts:10000:19999 CT notrack
 298 40654 CT      tcp  --  *  *   0.0.0.0/0 0.0.0.0/0 tcp dpts:3333:3339 CT notrack

Prevent the Rules from Being Injected

If your security or monitoring setup requires stateful firewall matching on these ports, you can prevent Redis Software from adding these rules.

To disable iptables rule injection:

touch ${confdir}/systune_skip_iptables.flag

This flag prevents the systune.sh script from modifying iptables at startup.
Note: The skip flag was introduced for Azure platform compatibility but can be used in any environment.

Update Custom Firewall Rules

If you prefer to keep Redis Software performance optimizations while maintaining compatibility with your rules, update your custom firewall rules to include the UNTRACKED state:

-A INPUT -p tcp -m state --state NEW,UNTRACKED -m tcp --dport 3333:3339 -j ACCEPT
-A INPUT -p tcp -m state --state NEW,UNTRACKED -m tcp --dport 10000:19999 -j ACCEPT

This allows traffic on Redis ports to remain untracked (for performance) while ensuring your rules still match correctly.

Troubleshooting

Symptom:
Firewall rules relying on NEW or ESTABLISHED states fail to match Redis ports (3333–3339 or 10000–19999), resulting in dropped or blocked packets.

Cause:
Redis Software disables connection tracking for these ports during startup.

Resolution Options:

Create the systune_skip_iptables.flag file to disable rule injection.
Modify custom firewall rules to include UNTRACKED state.

Related to