使用IPTABLES将MySQL 3306端口限制为localhost [英] Restricting MySQL 3306 port to localhost with IPTABLES

问题描述

我试图限制Linux机器上的MySQL 3306端口与本地主机以外的其他任何主机建立连接，以防止外部攻击.我有以下代码，我不确定是否正确:

I am trying to restrict MySQL 3306 port on a linux machine from making any connections to anything other than localhost to prevent outside attacks. i have the following code, i am not sure if it's correct:

iptables -A INPUT -p tcp -s localhost --dport 3306 -j ACCEPT

iptables -A OUTPUT -p tcp -s localhost --dport 3306 -j ACCEPT

iptables -A INPUT -p tcp --dport 3306 -j DROP

iptables -A OUTPUT -p tcp --dport 3306 -j DROP

我的另一个问题是-仅授予本地主机访问权限是否正确?这是一个标准的专用centos网络服务器，上面有30多个域.

my other question is - is it correct to only give localhost access? this is a standard dedicated centos webserver with more than 30 domains on it.

推荐答案

为什么不只关闭与MySQL的联网?

Why not just turn off networking with MySQL?

添加到my.cnf:

skip-networking

通过强制通过管道进行的连接，它的性能改进也可以忽略不计，而跳过了用于网络部分的许多测试.请注意，更改后，您将需要使用localhost，而不是 127.0.0.1.

It's supposed to also give a negligible performance improvement by forcing connection through pipes, which skips over lots of tests used for the networking section. Please note you will need to use localhost, not 127.0.0.1, after the change.

这篇关于使用IPTABLES将MySQL 3306端口限制为localhost的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！