How to block Internet Traffic to MySQL on Ubuntu 18.04

Question

I have setup two KVM servers with a local hosting service. They provide me with one public IP per server. I installed mysql-server 8 on one of them. Before describing the issue, here's the result I'm hoping for: 1) The second server should be able to connect to MySQL on the first server 2) I should not be able to connect from my laptop, which isn't on the same network I.e. I only want the port (3306) to be open to the local network.

I have not yet set the MySQL bind address or created users in MySQL. But I think I need to do the firewall first based on the below.

Currently, when I run

mysql -h -u root -p

I get the same result on my laptop and on the second server:

ERROR 1130: Host is not allowed to connect ...

This is expected on the second server (because I haven't added user permissions in MySQL), but from my laptop I would expect it to just refuse a connection outright. If relevant, ping also receives responses from my laptop and the second server.

I think I need to use ufw to block connections from the internet. How do I do this while still allowing connections on the local network? I can run an ifconfig as well. Help appreciated thanks.

Answer 1

The check the current status of ufw:

sudo ufw status verbose

By default, UFW is set to deny all incoming connections and allow all outgoing connections. If for some reason it is not, you can use this command:

sudo ufw default deny incoming

Next, to allow incoming MySQL connections from a specific IP address or subnet, specify the source. The subnet given to you from your service provider would work here. For example:

sudo ufw allow from 11.22.33.0/24 to any port 3306

For just a single IP address:

sudo ufw allow from 11.22.33.44 to any port 3306

Answer 2

Within MySQL you can use GRANTs to control some or all of what you are asking for.

The source can be

• localhost -- referring to a socket connection on the same server
• host.name -- some specific host name or wild card. % is dangerous
• 11.22.33.44 -- some IP address or wild card.

See the documentation for more discussion.