Skip to content

Instantly share code, notes, and snippets.

@troyk

troyk/iptables-block-apache-out

Created February 15, 2011 02:00
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save troyk/826967 to your computer and use it in GitHub Desktop.
Save troyk/826967 to your computer and use it in GitHub Desktop.
Download ZIP
Apache user should not be allowed to talk to people
Raw
iptables-block-apache-out
iptables --append OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# create a new chain
iptables --new-chain chk_apache_user
# use new chain to process packets generated by apache (replace apache with uid)
iptables -A OUTPUT -m owner --uid-owner apache -j chk_apache_user
# Allow 143 (IMAP) and 25 so that webmail works :)
iptables -A chk_apache_user -p tcp --syn -d 127.0.0.1 --dport 143 -j RETURN
iptables -A chk_apache_user -p tcp --syn -d 127.0.0.1 --dport 25 -j RETURN
# reject everything else and stop hackers downloading code into our server
iptables -A chk_apache_user -j REJECT
@troyk
Copy link
Author

troyk commented Feb 19, 2011

or simply:

  iptables -I OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  iptables -A OUTPUT -o eth0 -m owner --uid-owner [userid] -j DROP

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment