MySQL: Allowing MySQL Connections

MySQL (http://www.mysql.com) is one of the most popular open source databases in use today. It uses the fixed TCP port of 3306 and as of MySQL 4.0.x, has started supporting SSL encapsulation and x.509 authentication. Even with this added transport layer security, you'll want to protect your MySQL service from bad guys. However, you also might have a number of DBAs that will want to connect to this service, so a name-based allow chain would prove a good strategy to keep your administrative overhead from getting too out of control.

This first example assumes you're using host-based firewall rules and only want the systems 11.22.33.44 and 22.33.44.55 to be able to connect directly to your MySQL service:

 $IPTABLES -N USERS $IPTABLES -N MYSQLSERVER $IPTABLES -A USERS -s 11.22.33.44 -j RETURN $IPTABLES -A USERS -s 22.33.44.55 -j RETURN $IPTABLES -A USERS -j DROP $IPTABLES -A MYSQLSERVER -j USERS $IPTABLES -A MYSQLSERVER -p tcp -dport 3306 -j ACCEPT $IPTABLES -A MYSQLSERVER -j DROP 

Assuming you're running MySQL on a server in the DMZ 192.168.1.0/24 with the IP address of 192.168.1.22 and using the previous allow list, you would use a ruleset like this:

 # where eth0 is the external interface (Internet) # where eth1 is the internal interface (10.10.10.0/24) with the IP 10.10.10.1 # where eth2 is the DMZ interface (192.168.1.0/24) with the IP 192.168.1.1 EXTERNAL=eth0 INTERNAL=eth1 DMZ=eth2 DBSERVER=192.168.1.22 $IPTABLES -N USERS $IPTABLES -A USERS -s 11.22.33.44 -j RETURN $IPTABLES -A USERS -s 22.33.44.55 -j RETURN $IPTABLES -A USERS -j DROP # Host-B rules $IPTABLES -A FORWARD -i $EXTERNAL -o $DMZ -p tcp \       --dport 3306 -m state \       --state NEW,ESTABLISHED,RELATED -j USERS $IPTABLES -A FORWARD -i $EXTERNAL -o $DMZ -p tcp \       --dport 3306 -m state \       --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p tcp \       --dport 3306 -j DNAT --to-destination  $DBSERVER