Webserver Iptables Rules and Akismet

By default with all my servers I have a pre-configured iptables script which I’ve built up over the years which is quite strict in what it locks down. Port 80 is not open to anyone but coming in to Nginx or Apache and only allowed to go out through root or my own user for things like yum, wget or curl. This is great for a security point of view, as it means I can completely lock down what goes out should any script go rouge etc. But it blocks services such as the anti spam service; Akismet.

Below is a short snippet of my iptables rules as an example:

#!/bin/bash
iptables=/sbin/iptables

# Allow only Pre-defined users to exit 80/443 (ssl)
$iptables -A OUTPUT -o eth0 -m owner --uid-owner andrew -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
$iptables -A OUTPUT -o eth0 -m owner --uid-owner root -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

$iptables -A OUTPUT -o eth0 -m owner --uid-owner andrew -p tcp -m tcp -m state --state NEW,ESTABLISHED --dport 443 -j ACCEPT
$iptables -A OUTPUT -o eth0 -m owner --uid-owner root -p tcp -m tcp -m state --state NEW,ESTABLISHED --dport 443 -j ACCEPT

# allow incoming HTTP port 80
$iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
$iptables -A OUTPUT -o eth0 -p tcp --sport 80 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
$iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -m recent --set
# Block if an IP has accessed more than 15 times within the past minute
$iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 15 -j DROP

# WordPress Akismet Anti Spam Service
$iptables -A OUTPUT -p tcp -d 72.233.69.88 --dport 80 -j ACCEPT
$iptables -A OUTPUT -p tcp -d 72.233.69.89 --dport 80 -j ACCEPT
$iptables -A OUTPUT -p tcp -d 66.135.58.62 --dport 80 -j ACCEPT
$iptables -A OUTPUT -p tcp -d 66.135.58.61 --dport 80 -j ACCEPT

Don’t forget to save your rules or append it to the iptables file

comments powered by Disqus