BestHub
Sign in
Information Security 7 min read

How to Mitigate MySQL CVEs with iptables: Practical Firewall Rules

As network security threats rise, unpatchable MySQL vulnerabilities can be mitigated by configuring iptables rules that whitelist trusted IPs for port 3306 and drop all other traffic, with clear guidance on rule ordering and the differences between DROP and REJECT actions.

Raymond Ops
Raymond Ops
Raymond Ops
How to Mitigate MySQL CVEs with iptables: Practical Firewall Rules

Increasing network security threats make frequent security‑center scans inevitable, and many MySQL vulnerabilities cannot be fixed by upgrading the service in production.

Oracle MySQL cURL component input validation error (CVE‑2022‑32221)

MySQL denial‑of‑service vulnerability (CVE‑2023‑21912)

Oracle MySQL security vulnerability (CVE‑2022‑37434)

Oracle MySQL libcurl security vulnerability (CVE‑2023‑38545)

Because upgrading MySQL is often impossible, you can use iptables rules to restrict traffic and access permissions, effectively mitigating these flaws. iptables is a powerful, flexible firewall on Linux that allows fine‑grained traffic control. The following sections show how to install, verify, and configure it.

Installation and verification

Install iptables on CentOS (online or offline) and then check whether it is running:

iptables -L -n -v

Rule strategy

Add allow rules for specific IP addresses to access MySQL’s port 3306, then add a rule to drop all other traffic.

# Allow specific IPs
iptables -A INPUT -p tcp -s 127.0.0.1 --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp -s 192.167.10.194 --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp -s 192.167.10.197 --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp -s 192.167.10.199 --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp -s 192.167.10.196 --dport 3306 -j ACCEPT
# Drop all other IPs
iptables -A INPUT -p tcp --dport 3306 -j DROP

or

iptables -A INPUT -p tcp --dport 3306 -j REJECT

Execution effect

Connections from the listed IPs (127.0.0.1, 192.167.10.194, 192.167.10.197, 192.167.10.199, 192.167.10.196) are allowed.

All other IP addresses are denied access to port 3306.

DROP vs REJECT

DROP

Function: Discards packets silently, sending no response.

Effect: The sender sees the request as ignored.

Use cases:

Increases security by hiding open ports.

Prevents port scanning.

Saves bandwidth.

REJECT

Function: Discards packets and sends a rejection response (e.g., ICMP error).

Effect: The sender receives explicit “rejected” feedback.

Use cases:

Clearly informs legitimate clients that the port is unavailable.

Facilitates faster recovery by stopping repeated attempts.

Helpful for debugging network rules.

Rule order matters

iptables

matches rules sequentially; earlier rules have higher priority. To insert a rule before existing INPUT chain rules, use the -I option instead of -A:

iptables -I INPUT -p tcp -s 192.167.10.200 --dport 3306 -j ACCEPT

This inserts the new rule at the top of the INPUT chain, ensuring it is evaluated before other rules.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

firewallLinuxmysqlCVEnetwork securityiptables
Raymond Ops
Written by

Raymond Ops

Linux ops automation, cloud-native, Kubernetes, SRE, DevOps, Python, Golang and related tech discussions.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment