How do I block public port(3306) access in Linux but allow from other nodes on local network?

Question

I have a MySQL server running on port 3306 with a private IP: 10.64.30.117. I also have a web app running on another node with a private IP: 10.17.23.1.

I want the web app to be able to access the MySQL server but I don't want MySQL to be publicly available. (Both nodes have a public IP too).

I tried using UFW but it seems to block everything, the ufw status command shows the following:

To                         Action      From
--                         ------      ----
3306                       DENY        Anywhere                  
3306                       ALLOW       10.0.0.0/8                
3306                       ALLOW       10.0.0.0/24               
3306 (v6)                  DENY        Anywhere (v6)  

full ifconfig looks as follows:

$ ifconfig
ens2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.64.30.117  netmask 255.255.255.254  broadcast 10.64.30.117
        inet6 2001:xxxx:xxxx:xxx::1  prefixlen 127  scopeid 0x0<global>
        inet6 fe80::dc1c:3cff:fe32:203b  prefixlen 64  scopeid 0x20<link>
        ether de:1c:3c:32:20:3b  txqueuelen 1000  (Ethernet)
        RX packets 363358  bytes 1082623290 (1.0 GB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 310592  bytes 37970748 (37.9 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 2844  bytes 779466 (779.4 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2844  bytes 779466 (779.4 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

NOTE: These private IPs can change and hence I cannot hardcode them.

Is there any other way to set it in UFW or iptables?

Answer 1

You don't say what distro you're using but I believe all your rules are stored in this file:

$ sudo cat /etc/ufw/user.rules

You should be able to rearrange the contents of this file so that your private CIDRs with the ALLOW rules come first with the DENY rules coming as the last items in the list. If you've succeeded in rearranging things the sudo ufw status command will show your rules like this:

3306                       ALLOW       10.0.0.0/8                
3306                       ALLOW       10.0.0.0/24               
3306                       DENY        Anywhere                  
3306 (v6)                  DENY        Anywhere (v6)  

References

• How to setup a UFW firewall on Ubuntu 16.04 LTS server
• Use UFW as a firewall (How to secure a web server – Part 2)

Answer 2

An alternative (or complementary) tactic over firewalling is following the golden rule of not having unnecessary services /configurations, and so not having the Mysql answering in a public address in the first place.

The advised strategy here is binding/making the Mysql daemon / service only listen to the private ip address.

Edit my.cnf and use :

bind-address=10.64.30.117

As you mention ip addresses change, as an alternative, you can use this directive with a host name defined in /etc/hosts and change it before (re)starting Mysql. (or use a private DNS name of it exists)

Restart then the Mysql daemon, and the device won't listen for requests on other IP addresses anymore.

PS As a bonus, in this way you won't also be worried about changes in the public IP address. As for private IP addresses changing that has to be addressed either coercing the network setup, or with a virtual IP address or changing configuration files on the fly.

PPS this principle is applicable to other services like Tomcat behind a Web server. You can also bind services to the localhost only when the client resides in the same machine /VM

Also for dealing with IP address changes, see related question Method for acting on IP address change from the ISP?