PHP Classes
elePHPant
Icontem

phphilter: Grant access to remote users using iptables

Recommend this page to a friend!
  Info   View files View files (3)   DownloadInstall with Composer Download .zip   Reputation   Support forum   Blog    
Last Updated Ratings Unique User Downloads Download Rankings
2009-07-01 (7 years ago) RSS 2.0 feedNot enough user ratingsTotal: 549 All time: 5,248 This week: 1,045Up
Version License PHP version Categories
phphilter 0.1GNU General Publi...5.0HTTP, PHP 5, Unix, Security
Description Author

This class can be used to grant access to remote users using iptables.

It can execute the iptables command on Linux to verify whether the current user IP address was authorized to access another server with a given IP and port number.

The class may grant access to the user IP address and make the necessary alter iptables configuration if the user provides a valid user name and password via HTTP authentication.

Innovation Award
PHP Programming Innovation award nominee
July 2009
Number 4


Prize: One copy of the Zend Studio
iptables is a program available under Linux that can be used to control the packets of TCP/IP protocols sent and received from and to other machines.

This class provides an interface to control iptables configuration. It can be used to easily configure a Linux machine to act as a network firewall or as a router.

Manuel Lemos
Picture of giuseppe lucarelli
Name: giuseppe lucarelli <contact>
Classes: 5 packages by
Country: Italy Italy
Innovation award
Innovation award
Nominee: 2x

Details
PhPhilter

grant access to remote server/port via iptables packet filtering

==========================================

Version 0.1 (June 2009)

This class can allow or deny access to a specific port via *nix 'iptables' command.
I developed this class because i have an application running under tomcat on port 9521,
and there is no way for me to use an apache 'htaccess' method to manage accesses to this port.
With this script i have created a web page redirecting browser requests to tomcat server.
For all granted access, will be inserted in my firewall list a rule with port 9521 access.
User can be enabled with user/password or by ip.

Installation:

- copy class.phphilter.php and auth.php scripts to a web accessible folder.
- change auth.php redirect url to your application. Rename auth.php to index.php if you like.
- enable apache user to use 'iptables' with sudo and without password request,
  editing /etc/sudoers and adding a row with:

wwwrun ALL= PASSWD:ALL, NOPASSWD: /usr/sbin/iptables

be aware that apache user could be different from 'wwwrun' and 'iptables' pathname could be different too.

- Edit class.phpfilter.php and adjust some values:

_IPTABLES        check if 'sudo' and 'iptables' commands need to be changed
_CHAIN           firewall CHAIN (default 'INPUT')
_PORT            set to port value
_HOST_ALLOW      insert all fix ip values with granted access without user/password request, comma separated.
                 you can put here a simple ip value or ip range (ie. '195.110.135.42' or '195.110.135.128/25')
_HOST_DENY       insert all ip you deny access, in the same way of _HOST_ALLOW
$passwd          all user/password values

- configure your firewall inserting a rule like this:

iptables -A INPUT -p tcp --dport 9521 -j DROP

   so at next reboot all accesses to this port will be denied until users will authenticate themselves,
   where 'INPUT' is the same value of '_CHAIN' class field and '9521' is the same value of '_PORT' class field.




example:

my initial firewall INPUT chain situation:

admin@linux-peppe:~> sudo /usr/sbin/iptables -L INPUT -n

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:9521



after first access from authorized/authenticated user with ip 127.0.0.1 (localhost):

admin@linux-peppe:~> sudo /usr/sbin/iptables -L INPUT -n

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  127.0.0.1            0.0.0.0/0           tcp dpt:9521
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:9521



after second access from authorized/authenticated user with ip 10.98.61.138:

admin@linux-peppe:~> sudo /usr/sbin/iptables -L INPUT -n

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  10.98.61.138         0.0.0.0/0           tcp dpt:9521
ACCEPT     tcp  --  127.0.0.1            0.0.0.0/0           tcp dpt:9521
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:9521

and so on.



Download: http://www.phpclasses.org

Giuseppe Lucarelli
giu.lucarelli@gmail.com


Enjoy!
  Files folder image Files  
File Role Description
Accessible without login Plain text file auth.php Example sample script to run phphilter class
Plain text file class.phphilter.php Class class script source
Accessible without login Plain text file README Doc. documentation file

 Version Control Unique User Downloads Download Rankings  
 0%
Total:549
This week:0
All time:5,248
This week:1,045Up