WordPress – selective proxy / firewalling

As mentioned before, I block most webservers I’m responsible for from making port 80 outbound requests. This helps reduce the likelihood of someone exploiting a vulnerability on one of the sites – as Apache wouldn’t be able to download some sort of root kit and so on.

Anyway, the firewall bit is relatively easy…. (This is shamelessly stolen from Bytemark)

……

/sbin/iptables -D OUTPUT -j no_www
/sbin/iptables –flush no_www
/sbin/iptables –delete-chain no_www
/sbin/iptables –new-chain no_www
/sbin/iptables -I OUTPUT -j no_www
/sbin/iptables -A no_www  -m state –state new –match owner –uid-owner www-data -o lo -j ACCEPT
#  DNS queries are fine
/sbin/iptables -A no_www  -m state –state new –match owner –uid-owner www-data –protocol udp –dport 53  -j ACCEPT
/sbin/iptables -A no_www  -m state –state new –match owner –uid-owner www-data –protocol tcp –dport 53  -j ACCEPT
#  TCP/UDP/ICMP are blocked
/sbin/iptables -A no_www -m state –state new –match owner –uid-owner www-data –protocol tcp  -j REJECT –reject-with icmp-admin-prohibited
/sbin/iptables -A no_www  -m state –state new –match owner –uid-owner www-data –protocol udp  -j REJECT –reject-with icmp-admin-prohibited
/sbin/iptables -A no_www –protocol icmp –match owner –uid-owner www-data -j REJECT –reject-with icmp-admin-prohibited

The annoying bit is that when this is done, WordPress’s admin panel becomes a bit useless… this can be cunningly fixed by editing the wp-config.php file and adding in something like :

if($_SERVER[‘REMOTE_ADDR’] == ‘78.105.96.188’) {
define(‘WP_PROXY_HOST’, ‘127.0.0.1’);
define(‘WP_PROXY_PORT’, ‘3128’);
define(‘WP_PROXY_BYPASS_HOSTS’, ‘localhost’);
}

So, if I’m browsing from my office PC, everything should just happily work.


Posted

in

by

Tags:

Comments

2 responses to “WordPress – selective proxy / firewalling”

  1. Jonkarra Avatar

    TBH suprised you dont block everything by default and only allow whats needed out?

  2. David Goodwin Avatar

    I’m too lazy to do that… although i admit it’s a very small step to go from blocking port 80 out to blocking everything out for the apache user – as there is (afaik) no other traffic out from apache anyway.

Leave a Reply

Your email address will not be published. Required fields are marked *