IPTables: Allow outgoing MySQL connections but not incoming connections

iptables

Take advantage of the state engine:

iptables -t filter -A OUTPUT -p tcp --dport 3306 -j ACCEPT
iptables -t filter -A INPUT -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT

or in later versions of iptables

iptables -t filter -A OUTPUT -p tcp --dport 3306 -j ACCEPT
iptables -t filter -A INPUT -p tcp --sport 3306 -m conntrack --ctstate ESTABLISHED -j ACCEPT

This is exactly what the state engine exists to do: allow traffic which meets various criteria (eg, protocol, source port) but is also part of an existing connection (as it defines connection). The upshot is that the outgoing TCP SYN packet to a particular external IP address on destination port 3306, from a local ephmeral port, will create a state table entry for that particular combination of IP addresses and port numbers, and only return traffic with the same combination of addresses and ports will be permitted through, and only for the duration of that connection.

Related

What happens when a computer joins an Active Directory domain?
SSH traffic over openvpn connection freezes when I cat a file
SSH / SCP Server on Windows [duplicate]
Querying DNS for CNAMEs for a server
When does Postfix use IPv6 and when IPv4?
How can I tune the initial TCP retransmit timeout?
How can I test a new cron script?
Linux: Case-INSENSITIVE Filesystem
How many rules can iptables support?
Complex includes/excludes with rsync
Redis not starting with systemctl
How are cellphone IP addresses assigned?