How to Use iptables to Mitigate MySQL Vulnerabilities Without Upgrading
With rising network security threats and unpatchable MySQL vulnerabilities in production, this guide shows how to configure Linux iptables rules to restrict traffic, allow specific IPs to access port 3306, and choose between DROP and REJECT actions to effectively protect your database.
Why iptables is needed for MySQL vulnerabilities
Network security threats are increasing, and many MySQL vulnerabilities reported by big‑data security centers cannot be fixed by upgrading services in production. Using Linux iptables to limit traffic and access rights provides an indirect way to remediate these issues.
List of reported MySQL vulnerabilities
Oracle MySQL cURL component input validation error (CVE-2022-32221)
MySQL denial‑of‑service vulnerability (CVE-2023-21912)
Oracle MySQL security vulnerability (CVE-2022-37434)
Oracle MySQL curl/libcURL security vulnerability (CVE-2023-38545)
Using iptables to block/allow traffic
Install iptables on CentOS (online or offline) and verify it is running:
iptables -L -n -vRule policy example
# iptables rules are order‑dependent
# Allow specific IPs to access port 3306
iptables -A INPUT -p tcp -s 127.0.0.1 --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp -s 192.167.10.194 --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp -s 192.167.10.197 --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp -s 192.167.10.199 --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp -s 192.167.10.196 --dport 3306 -j ACCEPT
# Drop all other IPs from accessing port 3306
iptables -A INPUT -p tcp --dport 3306 -j DROP
# or use REJECT to send a response
iptables -A INPUT -p tcp --dport 3306 -j REJECTResult
Connections from the listed IP addresses are allowed.
All other IP addresses are denied access to port 3306.
Difference between DROP and REJECT
DROP
Function: Discards packets silently.
Effect: Sender receives no response, appearing as if the request was ignored.
Use cases:
Increase security – attacker cannot tell if the port is open.
Prevent port scanning – the port appears invisible.
Save bandwidth – no reply is sent.
REJECT
Function: Discards packets and sends an explicit rejection (e.g., ICMP error).
Effect: Sender receives a clear “rejected” feedback.
Use cases:
Explicitly inform legitimate users that the port is unavailable.
Quick recovery – prevents repeated connection attempts.
Testing/debugging – helps verify network rules.
Inserting rules before existing ones
iptables matches rules in order, so insertion position matters. Use -I instead of -A to insert at the top of the INPUT chain:
iptables -I INPUT -p tcp -s 192.167.10.200 --dport 3306 -j ACCEPTThis places the new rule before all existing INPUT rules, ensuring it has higher priority.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.