Created
February 15, 2011 02:00
-
-
Save troyk/826967 to your computer and use it in GitHub Desktop.
Apache user should not be allowed to talk to people
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
iptables --append OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
# create a new chain | |
iptables --new-chain chk_apache_user | |
# use new chain to process packets generated by apache (replace apache with uid) | |
iptables -A OUTPUT -m owner --uid-owner apache -j chk_apache_user | |
# Allow 143 (IMAP) and 25 so that webmail works :) | |
iptables -A chk_apache_user -p tcp --syn -d 127.0.0.1 --dport 143 -j RETURN | |
iptables -A chk_apache_user -p tcp --syn -d 127.0.0.1 --dport 25 -j RETURN | |
# reject everything else and stop hackers downloading code into our server | |
iptables -A chk_apache_user -j REJECT |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
or simply: