Patch MySQL Vulnerabilities with iptables Firewall Rules
This guide explains how to mitigate several MySQL-related security flaws—such as CVE-2022-32221, CVE-2023-21912, and CVE-2022-37434—by configuring iptables rules to restrict traffic, illustrating command usage, rule ordering, and the differences between DROP and REJECT actions.
As network security threats increase, many vulnerabilities reported by big‑data security centers cannot be fixed by upgrading services in production. Examples include:
Oracle MySQL cURL component input validation error (CVE-2022-32221)
MySQL denial‑of‑service vulnerability (CVE-2023-21912)
Oracle MySQL security vulnerability (CVE-2022-37434)
Oracle MySQL curl/libcURL security vulnerability (CVE-2023-38545)
Since upgrading MySQL in a production environment is often impractical, you can use iptables rules to limit traffic and indirectly remediate these issues. iptables is a powerful, flexible firewall tool on Linux that enables fine‑grained traffic control.
Install iptables (CentOS online or offline) and verify that it is running. To view existing rules, run:
iptables -L -n -vRule Policy
# iptables rules have order dependency
# Allow specific IP addresses to access port 3306
iptables -A INPUT -p tcp -s 127.0.0.1 --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp -s 192.167.10.194 --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp -s 192.167.10.197 --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp -s 192.167.10.199 --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp -s 192.167.10.196 --dport 3306 -j ACCEPT
# Drop all other IP addresses from accessing port 3306
iptables -A INPUT -p tcp --dport 3306 -j DROP
# or
iptables -A INPUT -p tcp --dport 3306 -j REJECTExecution Effect
Connections from 127.0.0.1, 192.167.10.194, 192.167.10.197, 192.167.10.199, and 192.167.10.196 are allowed.
All other IP addresses are denied access to port 3306.
Difference Between DROP and REJECT
1. DROP
Function: Directly discards packets without sending any response.
Effect: From the sender’s perspective, the request appears ignored.
Applicable scenarios: Increases security by hiding open ports, prevents port scanning, and saves bandwidth.
2. REJECT
Function: Discards packets and sends a rejection response (e.g., ICMP error).
Effect: The sender receives explicit “reject” feedback.
Applicable scenarios: Clearly informs legitimate users that the port is unavailable, enables quick recovery, and aids debugging. iptables matches rules sequentially, so earlier rules have higher priority. To insert a rule before existing INPUT chain rules, use the -I option:
iptables -I INPUT -p tcp -s 192.167.10.200 --dport 3306 -j ACCEPTSigned-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.