Tips - Allow Remote connections to mySQL Database Server
In this Tips, we will go through the steps necessary to allow remote connections to a mySQL
server. The same instructions can be apply for MariaDB
.
Mika Baumeister©
By default, the mySQL
allow connections only from localhost (127.0.0.1
), which means it can be accessed only by applications running on the same host.
However, in some situations, it is necessary to access the mySQL
server from remote location. For example, when you want to connect to the remote mySQL
server from your local system, or when using a multi-server deployment where the application is running on a different machine from the database server. One option would be to access the mySQL
server through SSH Tunnel and another is to configure the mySQL
server to accept remote connections.
Test on Debian 10 (buster) and mySQL v10.3.2.2
Note that the port number used for accepting incoming TCP connections is the same for every IP address listed in the –bind-address option.
- in
/etc/mysql/mariadb.conf.d/50-server.cnf
change linebind-address = 127.0.0.1
tobind-address = 0.0.0.0
. The address0.0.0.0
allow all. If there is a line containingskip-networking
, delete it or comment it out by adding # at the beginning of the line.bind-address = 0.0.0.0 #skip-networking
- On
mySQL
server host :sudo mysql --user=root mysql GRANT ALL ON <database_name>.* TO <user_name>@<ip_address> IDENTIFIED BY <user_password>;
Where:
<database_name>
is the name of the database that the user will connect to.<user_name>
is the name od the mySQL user.<ip_address>
is the IP address from which the user will connect. Use % to allow the user to connect from any IP address.<user_password>
is the user password.
ie.
<ip_address>
: 192.168.% for allow the range of IP 192.168.0.0 to 192.168.255.255 or % for allow all IP - Restart
mysqld
sudo systemctl restart mysqld
- Configuring Firewall The last step is to configure your firewall to allow traffic on port
3306
(mySQL default port) from the remote machines.- If you are using iptables as your firewall, the command bellow will allow access from private IP to the mySQL port.
# Block all connections to 3306 except for localhost and all private IPs /sbin/iptables -A INPUT -p tcp --dport 3306 ! -s 127.0.0.0/8 -j DROP /sbin/iptables -A INPUT -p tcp --dport 3306 ! -s 10.0.0.0/8 -j DROP /sbin/iptables -A INPUT -p tcp --dport 3306 ! -s 172.16.0.0/12 -j DROP /sbin/iptables -A INPUT -p tcp --dport 3306 ! -s 192.168.0.0/16 -j DROP
- Save the settings:
sudo /sbin/iptables-save
- If you are using iptables as your firewall, the command bellow will allow access from private IP to the mySQL port.
Since mySQL
Server v8.0.13, It’s possible to set more than one specific eth
interface. So if you have a server with addresses 192.168.1.1 and 10.0.0.1, you can specify the binding like: bind-address=192.168.1.1,10.0.0.1
. With 192.168.1.1
for eth0
and 10.0.0.1
for eth1