I am trying to restrict MySQL 3306 port on a linux machine from making any connections to anything other than localhost to prevent outside attacks. i have the following code, i am not sure if it's correct:
iptables -A INPUT -p tcp -s localhost --dport 3306 -j ACCEPT iptables -A OUTPUT -p tcp -s localhost --dport 3306 -j ACCEPT iptables -A INPUT -p tcp --dport 3306 -j DROP iptables -A OUTPUT -p tcp --dport 3306 -j DROP
my other question is - is it correct to only give localhost access? this is a standard dedicated centos webserver with more than 30 domains on it.
Why not just turn off networking with MySQL?
Add to my.cnf:
skip-networking
It's supposed to also give a negligible performance improvement by forcing connection through pipes, which skips over lots of tests used for the networking section. Please note you will need to use localhost, not 127.0.0.1, after the change.