Not only for security reasons it's a better idea to seperate that to two different hosts, if you get under heavy load it will definately be a performance reason!
For the security part it depends what kind of sensitive data you've got in the database ... if it's data like credit card, orders, etc I would definately seperate them. But if the data is just plain dynamic content it doesn't really need to be seperated from a security point of view.
So if you want to install MySQL on the 2nd server (when you have sensitive data in there) install it chrooted like described here
For the firewall something like that would be your configuration:
iptables -A INPUT -i eth0 -s <webserver ip> -p tcp --dport 3306 -j ACCEPT
iptables -A OUTPUT -o eth0 -d <webserver ip> -p tcp --sport 3306 -j ACCEPT
Be sure to LIMIT the MySQL connection to the webserver source ip and do NOT let others access it ;-)