Here’s a quick guide for configuring a Firewall for Ubuntu 14.
The source of this guide is: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-14-04
And I’d highly recommend checking it out.
Frankly the guide posted here is meant for personal use, but it may prove useful to others.
In order to configure MySQL to bind to multiple IP Addresses, you cannot use the my.conf bind-address setting.
Instead you must allow for bind-address to be set to 0.0.0.0 (the default if none is specified in the config) and then configure the firewall to block the range of IP Addresses.
Below is a list of likely very typical configuration for a WebServer running on Ubuntu with MySQL.
This can be useful if you wish to enable multiple clients other than localhost to have access to the database without making the database accessible to just anyone.
First check the current status (perhaps you already have a firewall enabled?)
sudo ufw status verbose
It should say inactive if it was never activated before.
If you get an error then you may need to run:
sudo apt-get install ufw
If you have an inactive firewall then you can perform the remaining commands to configure it.
Note: that these commands don’t go into effect until you enable the firewall, which should NOT be done until the firewall is fully configured.
This is so that, for example, you don’t lock yourself out of access via SSH.
First:
sudo ufw default deny incoming
sudo ufw default allow outgoing
These commands will block ALL incoming connections, BUT it will allow for all outgoing connections.
This is a great default starting point. It means if we don’t white list it for incoming, then don’t allow it.
We’ll need need to allow some basic defaults:
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
Now to address the MySQL purpose:
sudo ufw allow from 127.0.0.1 to any port 3306
The “to any” command isn’t in reference to the IP address!
It’s actually: “to any port ####” it’s just the syntax used for the port itself.
The command states allow the IP address of 127.0.0.1 (only) to be incoming to the port 3306.
With that said, if you wish to have any other IP Addresses, for example 8.8.8.8 you can use:
sudo ufw allow from 8.8.8.8 to any port 3306
You can also use subnet masking as well to achieve an allow onto an entire range.
For example:
sudo ufw allow from 8.8.8.8/15 to any port 3306
Once you have the firewall configuration complete, it is finally time to enable the firewall.
You may receive a warning that some connections maybe stopped (such as the current SSH if you’re using it.)
That’s the part where you may wish to panic, and run the command to enable SSH again just to be safe:
sudo ufw allow ssh
Okay, now enable it:
sudo ufw enable
Display a line by line list:
sudo ufw status numbered
If you wish to delete an item, use:
sudo ufw delete 2
(to delete line # 2 from the list displayed)
If you wish to disable the firewall simply use:
sudo ufw disable
If you wish to reset the firewall settings to blank use:
sudo ufw reset
I can’t overstate how valuable digitalocean’s guide has been, and they deserve full credit for this information.
As I mentioned before, this guide is more aimed for my own personal reference in case I need to use this information ever again.