As mentioned before, I block most webservers I’m responsible for from making port 80 outbound requests. This helps reduce the likelihood of someone exploiting a vulnerability on one of the sites – as Apache wouldn’t be able to download some sort of root kit and so on.
Anyway, the firewall bit is relatively easy…. (This is shamelessly stolen from Bytemark)
……
/sbin/iptables -D OUTPUT -j no_www
/sbin/iptables –flush no_www
/sbin/iptables –delete-chain no_www
/sbin/iptables –new-chain no_www
/sbin/iptables -I OUTPUT -j no_www
/sbin/iptables -A no_www -m state –state new –match owner –uid-owner www-data -o lo -j ACCEPT
# DNS queries are fine
/sbin/iptables -A no_www -m state –state new –match owner –uid-owner www-data –protocol udp –dport 53 -j ACCEPT
/sbin/iptables -A no_www -m state –state new –match owner –uid-owner www-data –protocol tcp –dport 53 -j ACCEPT
# TCP/UDP/ICMP are blocked
/sbin/iptables -A no_www -m state –state new –match owner –uid-owner www-data –protocol tcp -j REJECT –reject-with icmp-admin-prohibited
/sbin/iptables -A no_www -m state –state new –match owner –uid-owner www-data –protocol udp -j REJECT –reject-with icmp-admin-prohibited
/sbin/iptables -A no_www –protocol icmp –match owner –uid-owner www-data -j REJECT –reject-with icmp-admin-prohibited
The annoying bit is that when this is done, WordPress’s admin panel becomes a bit useless… this can be cunningly fixed by editing the wp-config.php file and adding in something like :
if($_SERVER[‘REMOTE_ADDR’] == ‘78.105.96.188’) {
define(‘WP_PROXY_HOST’, ‘127.0.0.1’);
define(‘WP_PROXY_PORT’, ‘3128’);
define(‘WP_PROXY_BYPASS_HOSTS’, ‘localhost’);
}
So, if I’m browsing from my office PC, everything should just happily work.
Leave a Reply