远程Mysql删除所有连接并仅允许localhost和IP地址

Question

I have enabled remote MySQL by editing

 /etc/mysql/mysql.conf.d/mysqld.cnf 
    bind-address = 0.0.0.0

Now i can access MySQL via any remote ip.

What i want is to disable all connections to my MySQL with IP tables and enable only access from localhost and one IP adress. I did the following

/sbin/iptables -A INPUT -p tcp -d 127.0.0.1 --dport 3306 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -d 16x.xxx.xx.xx --dport 3306 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 3306 -j DROP

The following code will drop all connections and won't accept localhost or remote ip. I'm using Ubuntu 16.10 .

---

EDIT: I've also tried a chain

iptables -N mysql 
iptables -A mysql --src 127.0.0.1 -j ACCEPT
iptables -A mysql --src 14x.xxx.xx.xx -j ACCEPT
iptables -A mysql -j DROP 
iptables -I INPUT -m tcp -p tcp --dport 3306 -j mysql   

After DROP line in every possible way port is blocked

Answer 1

The order of the rules is not correct.

Line

/sbin/iptables -A INPUT -p tcp --dport 3306 -j DROP

should come last.

Answer 2

The rule

2 ACCEPT tcp -- 14x.xxx.xxx.xx 14x.xxx.xxx.xx tcp dpt:3306

doesn't look right. It looks like source and destination IP addresses are the same. You have to whitelist the IP address of the server which you are connecting from.

In order to identify IP address add the following iptables rule before the drop rule

iptables -I INPUT -m tcp -p tcp --dport 3306  -m limit --limit 5/min -j LOG --log-prefix "Mysql access log: " 

The log goes in dmesg and syslog ( /var/log/syslog on Ubuntu) and looks like this

Nov 28 08:55:57 myServer kernel: Mysql access log: IN=eth0 OUT= MAC=00:19:99:ce:15:cb:b0:c6:9a:67:d6:81:08:00 SRC=1.2.3.4 DST=5.6.7.8 LEN=60 TOS=0x10  PREC=0x00 TTL=56 ID=63880 DF PROTO=TCP SPT=40807 DPT=3306 WINDOW=14600 RES=0x00 SYN URGP=0 

In my example source ip address which should be whitelisted is 1.2.3.4