So for better security, our website / network has been looking to lock down all of our SQL to IPs.
What we originally were looking for was somewhere where I could whitelist all our ips, say 104.151.112.151-59 or use /29, /28, etc.
We noted that we could add each IP with a user, but this is inconvenient to do with 3-5 databases, let alone the possibility of having even more.
My thought now, is that I can just use eth0 with virtual hosts, then whitelist the first one, so .151 with .152-159 will be virtual hosts of 104.151.112.151. This is working, however if .151 is ever nullrouted, this would instantly become an issue.
Thought A)
Use %, then block all traffic with IPtables, and only allow IPs on .151-59, which is easy to do as a range in IPtables.
Thought B)
Use host tables, though the documentation on this is seriously lacking.. I'm not too sure how to even go about using host tables, our mysql server is 5.5.4 so it is still supported with phpmyadmin.
If someone could point me in the right direction of what I am attempting to achieve it would be appreciated.
I need to whitelist the following example blocks to multiple database:
104.151.112.151/28
104.128.55.19/28
167.114.55.181/28
167.114.57.100/28
Best Answer
I'd suggest you go with your Thought A - allow the users to access from any IP, but only allow MySQL traffic from the IPs you specify at the firewall level.
A nice benefit of this is if there's ever a MySQL vulnerability, it's more protected from outside attack.