How does MySQL control iptables?

I’m struggling to figure out how MySQL interfaces to iptables on Debian Lenny.

The system has an iptables shell script that is run by virtue of its presence in /etc/network/if-up.d/ which blocks most things, allowing only a minimum of required services.

I find that if MySQL is bound to one of the server’s real IP addresses (which is needed to allow client access from another system), then at some point after the iptables script has run, port 3306 is opened for external traffic from any IP address. Running the iptables script manually afterwards closes the port, but that isn’t the normal setup. Restarting MySQL doesn’t open port 3306, only rebooting. It’s quite clear that it is MySQL that does this - setting skip_networking causes port 3306 to stay closed.

The MySQL permissions give some protection, but all the same, I always prefer the maximum of restriction, and would much prefer to restrict use of port 3306 to specific IP addresses.

How can MySQL’s use of iptables be controlled to prevent it opening ports, thus leaving the system iptables script in control of what happens?

I am not sure what is happening, but I am pretty sure that MySQL is not controlling iptables (unless Debian has added a patch I don’t know about). I would suspect that there is a process in the server that’s noticing MySQL starting to listen on a socket, and adjusting iptables accordingly. But I am far from an iptables expert.