Restricting MySQL 3306 port to localhost with IPTABLES

Question

I am trying to restrict MySQL 3306 port on a linux machine from making any connections to anything other than localhost to prevent outside attacks. i have the following code, i am not sure if it's correct:

iptables -A INPUT -p tcp -s localhost --dport 3306 -j ACCEPT

iptables -A OUTPUT -p tcp -s localhost --dport 3306 -j ACCEPT

iptables -A INPUT -p tcp --dport 3306 -j DROP

iptables -A OUTPUT -p tcp --dport 3306 -j DROP

my other question is - is it correct to only give localhost access? this is a standard dedicated centos webserver with more than 30 domains on it.

Answer 1

Why not just turn off networking with MySQL?

Add to my.cnf:

skip-networking

It's supposed to also give a negligible performance improvement by forcing connection through pipes, which skips over lots of tests used for the networking section. Please note you will need to use localhost, not 127.0.0.1, after the change.

Answer 2

iptables -A INPUT -p tcp --dport 3306 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

The above rule is for converting two lines into single one.

Answer to your second question:

If you do not want to provide mysql access from other than localhost, then it is perfect to configure this way. Simple. :-)

Answer 3

iptables -A INPUT -p tcp --dport 3306 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j DROP

If you want to remove the filtering, use this:

iptables -D INPUT -p tcp --dport 3306 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -D INPUT -p tcp --dport 3306 -j DROP

Note: Both might require root, so: sudo iptables (...)