I’m setting up a shared database server in a data center and I don’t have any direct connections between the machines that are local (i.e. meaning they only connect between boxes and don’t let external traffic in), no firewalls, no routes or any networking goodies. These machines only have a single ethernet card that accepts connections from anywhere. So, my concern is that my new database server needs to allow the other servers in the cluster access to MySQL without opening it up to everyone in the world, which might allow hackers access. Instead, I want to lock things down so that only certain machines can connect to MySQL and everyone else is rejected.
In order to pull this off, I’m making use of iptables, which allow me to control how IP packets are handled by the kernel. There are loads of materials out there on iptables, so I won’t go into how it works exactly. Instead, I’ll just show you all how I did it. All these commands are run as root (via sudo or as root directly):
$ iptables -A INPUT -s <ip-of-current-box> -p tcp --dport 3306 -j ACCEPT
$ iptables -A INPUT -s <ip-of-other-box> -p tcp --dport 3306 -j ACCEPT
$ iptables -A INPUT -p tcp --dport 3306 -j DROP
This allows access on port 3306 (MySQL default) to only two IP addresses and drops all other traffic on the floor. I can add as many IPs as I want by repeating the second command with a different IP.