BestHub
Sign in
Information Security 6 min read

How to Mitigate MySQL Vulnerabilities with iptables Rules

This guide explains how to use Linux iptables to block or allow traffic to MySQL's port 3306, providing a practical workaround for several high‑severity CVE‑listed MySQL vulnerabilities that cannot be patched by upgrading in production environments.

Liangxu Linux
Liangxu Linux
Liangxu Linux
How to Mitigate MySQL Vulnerabilities with iptables Rules

Background

Increasing network‑security threats lead to frequent scans by security centers. Several MySQL‑related CVEs cannot be mitigated by simply upgrading the production service, for example:

Oracle MySQL cURL component input‑validation error (CVE‑2022‑32221)

MySQL denial‑of‑service vulnerability (CVE‑2023‑21912)

Oracle MySQL security flaw (CVE‑2022‑37434)

Oracle MySQL curl/libcURL security issue (CVE‑2023‑38545)

When upgrading MySQL is impractical, traffic filtering with iptables provides an indirect remediation.

Using iptables to Restrict MySQL Access

First, verify that iptables is running and list existing rules:

iptables -L -n -v

Rule Policy

iptables evaluates rules in order; earlier rules have higher priority. A common strategy is to allow trusted IP addresses to reach port 3306 and then drop or reject all other traffic.

# Allow specific IPs to access MySQL (port 3306)
iptables -A INPUT -p tcp -s 127.0.0.1 --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp -s 192.167.10.194 --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp -s 192.167.10.197 --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp -s 192.167.10.199 --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp -s 192.167.10.196 --dport 3306 -j ACCEPT

# Block all other IPs from accessing port 3306
iptables -A INPUT -p tcp --dport 3306 -j DROP   # or REJECT

Effect

Connections from the listed IPs (127.0.0.1, 192.167.10.194, 192.167.10.197, 192.167.10.199, 192.167.10.196) are allowed.

All other IP addresses are denied access to port 3306.

DROP vs REJECT

DROP : silently discards packets without sending a response. The sender sees no feedback, which helps hide the service, prevents port‑scanning visibility, and saves bandwidth.

REJECT : discards packets and sends an explicit rejection (e.g., ICMP error). The sender receives a clear “rejected” message, which is useful for informing legitimate users, speeding recovery, and debugging network rules.

Rule Insertion Order

Because iptables matches rules sequentially, the insertion point matters. Use the -I option to insert a rule before existing ones. Example – add an allow rule for 192.167.10.200 at the top of the INPUT chain:

iptables -I INPUT -p tcp -s 192.167.10.200 --dport 3306 -j ACCEPT

This ensures the new rule is evaluated before any later rules.

Reference: https://blog.csdn.net/m0_63004677/article/details/144269012
Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

mysqlCVEiptablesport 3306
Liangxu Linux
Written by

Liangxu Linux

Liangxu, a self‑taught IT professional now working as a Linux development engineer at a Fortune 500 multinational, shares extensive Linux knowledge—fundamentals, applications, tools, plus Git, databases, Raspberry Pi, etc. (Reply “Linux” to receive essential resources.)

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment