In Mysql, it is impossible to specify multiple IP addresses for bind in the configuration.In the previous article: http://www.04007.cn/article/526.html , the configuration item is either to specify an IP address or 0.0.0.0. The default is the configured 127.0.0.1, but this will cause the external server and the client on win to be unable to connect to mysql to view data. If it is changed to 0.0.0.0, the port is exposed to the outside, which is more dangerous. My previous approach was to bind the LAN IP address, and then use haproxy as a load to provide external connection services.The corresponding IP restrictions can be set on the seven and four layers in haproxy. In fact, another method of combining firewalls is also easier to use.
    In Ubuntu, please comment or set the bind-address configuration of mysql to 0.0.0.0, and restart mysql; at this time, mysql supports the access of external IP, and then block the access to port 3306 outside the required IP through the firewall, thus indirectly realizes Multiple IPs are bound, including 127.0.0.1, internal network IP and external network IP address. as follows:

    #Firewall configuration
root@us12:~# /sbin/iptables -A INPUT -p tcp -s 112.95.214.8 --dport 3306 -j ACCEPT
root@us12:~# /sbin/iptables -A INPUT -p tcp -s 192.168.162.8 --dport 3306 -j ACCEPT
root@us12:~# /sbin/iptables -A INPUT -p tcp --dport 3306 -j DROP
#View firewall settings
root@us12:~# /sbin/iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp - 112.95.214.8 anywhere tcp dpt:mysql
ACCEPT tcp - 192.168.162.8 anywhere tcp dpt:mysql
DROP tcp - anywhere anywhere tcp dpt:mysql

Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all - anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all - anywhere anywhere
ACCEPT all - anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all - anywhere anywhere
ACCEPT all - anywhere anywhere
ACCEPT all - anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
#You can use the -D option to delete the specified entry.If you execute the following command, you will delete the 112.95.214.8 license entry in Chain INPUT
root@us12:~# iptables -D INPUT 1
#You can also add multiple IPs through the! Exclusion method
root@us12:/etc/# /sbin/iptables -A INPUT -p tcp --dport 3306! -s 112.95.214.8 -j DROP
root@us12:/etc/# /sbin/iptables -A INPUT -p tcp --dport 3306! -s 192.168.162.8 -j DROP

        In centos, I restarted the firewall through the /etc/init.d/iptables command, but the corresponding command file was not found in Ubuntu 16, but it can be automatically loaded and saved by modifying the /etc/sysconfig/iptables configuration

    #Use iptables-save to save iptables rules
root@us12:/etc/# iptables-save> /etc/iptables.rules
#iptables Rules are automatically saved and automatically loaded, add the following two lines
root@us12:/etc/# vim /etc/network/interfaces
pre-up iptables-restorepost-down iptables-save> /etc/iptables.rules