How to allow access to the database from a fixed IP using iptables ?

The current state of the filter table:

$ sudo iptables-save -t filter # Generated by iptables-save v1.4.21 on Thu Jul 28 20:40:23 2016 *filter :INPUT ACCEPT [2:80] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -d 127.0.0.0/8 -j REJECT --reject-with icmp-port-unreachable -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 -A INPUT -j REJECT --reject-with icmp-port-unreachable -A FORWARD -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -j ACCEPT COMMIT # Completed on Thu Jul 28 20:40:23 2016
  • the response depends on the current content and the filter table policy. Attach $ sudo iptables-save -t filter to the question. - aleksandr barakin
  • @alexanderbarakin attached iptables rules - JamesJGoodwin

2 answers 2

if the ACCEPT policy is set for the filter table (line :INPUT ACCEPT in the iptables-save output) and there are no other rules in the table, then something like this:

 $ sudo iptables -A INPUT -p tcp \! -s ip-адрес --dport порт -j REJECT

i.e., reject all packets arriving via the tcp protocol not from the specified ip-адреса to the specified порт .

but in your particular case, given that the INPUT chain ends with a rule with a REJECT directive (the -A INPUT -j REJECT ... in the iptables-save output), add this netfilter rule (changing its logic to the opposite) should not the end of the INPUT chain (which the -A command does), and somewhere above the final rule. for example, to the very beginning of the chain (using the -I command without an argument):

 $ sudo iptables -I INPUT -p tcp -s ip-адрес --dport порт -j ACCEPT

i.e., allow all packets arriving via tcp protocol from the specified ip-адреса to the specified порт .

    As far as I understand, we are talking about MySQL. Maybe I do not know the features of this case, but why can not I use the tool from MySQL, which is exactly for this purpose and intended - the GRANT command? Here is what is written about her:

    In order to be able to determine the rights of users from specific computers, MySQL provides the ability to specify the user name (user_name) in the form user @ host.

    You can set% instead of user and get permission to go with the host to any user.