Please note, this is a working document. If you see anything that’s missing, or needs more info..please do let me know.
We really don’t want much in the way of outbound traffic coming from File our WordPress install. Malicious scrips and plugins will try to “phone home” or potentially deny someone else’s webserver of service, or possibly download more malicious scripts to be used on your website.
Unfortunately, in some cases we *want* wordpress to coect outbound, for example in the case of installing new plugins.
Now, if you want to install your plugins and themes manually you don’t need to do any of this, you can just upload the zip file onto your webserver, and unzip it into the wp-content/plugins directory. However, in the event that you want to search and install plugins from the dashboard, here’s how you can configure iptables.
The following assumes that your default firewall policy is to DROP outbound packets (OUTPUT -P DROP)
During my logging, it seems that the dashboard uses the same host/IP address when querying plugins (220.127.116.11) which does indeed have a wordpress PTR record (250.40.155.66.in-addr.arpa domain name pointer wordpress.org.) and when used in the browser resolves to wordpress.org. We need to allow outbound packets on port 80 from our server to this ip address.
The basic rule is:
OUTPUT -p tcp –dport 80 -d 18.104.22.168 -m cotrack –ctstate NEW –syn -j ACCEPT
Now there are a couple of ways you can do this, you can insert this rule into the top of the OUTPUT chain with
iptables -I OUTPUT -p tcp --dport 80 -d 22.214.171.124 -m cotrack --ctstate NEW --syn -j ACCEPT
or you can hand edit /etc/sysconfig/iptables and add the rule into the chain there.
Personally, I wanted to keep it a little tidier so created a new chain for wordpress (OUTPUT_WP) and added it there.
Turns out WordPress will try port 80 first (http) and then fall onto port 443 (https). Seeing as SSL is much more desirable in this context, we can actually allow to the destination port (–dport) 443.
Also, it would seem that WordPress have more ip addresses in that range, and although it will still work with just the one IP address..seems to make sense to allow it to failover onto another quickly enough. I’ll add more of these as time goes by.
So now we have:
OUTPUT -p tcp --dport 443 -m iprange --dst-range 126.96.36.199-188.8.131.52 -m cotrack --ctstate NEW --syn -j ACCEPT
A word about email
In order for your wordpress instance to send email, it not only needs to have a MTA (postfix or sendmail perhaps) but needs to egress on port 25 (TCP)
OUTPUT -p tcp --dport smtp -m cotrack --ctstate NEW --syn -j ACCEPT