PHP Classes

phphilter: Grant access to remote users using iptables

Recommend this page to a friend!
  Info   View files View files (3)   DownloadInstall with Composer Download .zip   Reputation   Support forum   Blog    
Ratings Unique User Downloads Download Rankings
Not enough user ratingsTotal: 586 All time: 5,248 This week: 174Up
Version License PHP version Categories
phphilter 0.1GNU General Publi...5.0HTTP, PHP 5, Unix, Security
Description Author

This class can be used to grant access to remote users using iptables.

It can execute the iptables command on Linux to verify whether the current user IP address was authorized to access another server with a given IP and port number.

The class may grant access to the user IP address and make the necessary alter iptables configuration if the user provides a valid user name and password via HTTP authentication.

Innovation Award
PHP Programming Innovation award nominee
July 2009
Number 4


Prize: One copy of the Zend Studio
iptables is a program available under Linux that can be used to control the packets of TCP/IP protocols sent and received from and to other machines.

This class provides an interface to control iptables configuration. It can be used to easily configure a Linux machine to act as a network firewall or as a router.

Manuel Lemos
Picture of giuseppe lucarelli
Name: giuseppe lucarelli <contact>
Classes: 5 packages by
Country: Italy Italy
Age: 64
All time rank: 85433 in Italy Italy
Week rank: 587 Up28 in Italy Italy Up
Innovation award
Innovation award
Nominee: 2x

Details
PhPhilter grant access to remote server/port via iptables packet filtering ========================================== Version 0.1 (June 2009) This class can allow or deny access to a specific port via *nix 'iptables' command. I developed this class because i have an application running under tomcat on port 9521, and there is no way for me to use an apache 'htaccess' method to manage accesses to this port. With this script i have created a web page redirecting browser requests to tomcat server. For all granted access, will be inserted in my firewall list a rule with port 9521 access. User can be enabled with user/password or by ip. Installation: - copy class.phphilter.php and auth.php scripts to a web accessible folder. - change auth.php redirect url to your application. Rename auth.php to index.php if you like. - enable apache user to use 'iptables' with sudo and without password request, editing /etc/sudoers and adding a row with: wwwrun ALL= PASSWD:ALL, NOPASSWD: /usr/sbin/iptables be aware that apache user could be different from 'wwwrun' and 'iptables' pathname could be different too. - Edit class.phpfilter.php and adjust some values: _IPTABLES check if 'sudo' and 'iptables' commands need to be changed _CHAIN firewall CHAIN (default 'INPUT') _PORT set to port value _HOST_ALLOW insert all fix ip values with granted access without user/password request, comma separated. you can put here a simple ip value or ip range (ie. '195.110.135.42' or '195.110.135.128/25') _HOST_DENY insert all ip you deny access, in the same way of _HOST_ALLOW $passwd all user/password values - configure your firewall inserting a rule like this: iptables -A INPUT -p tcp --dport 9521 -j DROP so at next reboot all accesses to this port will be denied until users will authenticate themselves, where 'INPUT' is the same value of '_CHAIN' class field and '9521' is the same value of '_PORT' class field. example: my initial firewall INPUT chain situation: admin@linux-peppe:~> sudo /usr/sbin/iptables -L INPUT -n Chain INPUT (policy ACCEPT) target prot opt source destination DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9521 after first access from authorized/authenticated user with ip 127.0.0.1 (localhost): admin@linux-peppe:~> sudo /usr/sbin/iptables -L INPUT -n Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 127.0.0.1 0.0.0.0/0 tcp dpt:9521 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9521 after second access from authorized/authenticated user with ip 10.98.61.138: admin@linux-peppe:~> sudo /usr/sbin/iptables -L INPUT -n Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 10.98.61.138 0.0.0.0/0 tcp dpt:9521 ACCEPT tcp -- 127.0.0.1 0.0.0.0/0 tcp dpt:9521 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9521 and so on. Download: http://www.phpclasses.org Giuseppe Lucarelli giu.lucarelli@gmail.com Enjoy!
  Files folder image Files  
File Role Description
Accessible without login Plain text file auth.php Example sample script to run phphilter class
Plain text file class.phphilter.php Class class script source
Accessible without login Plain text file README Doc. documentation file

 Version Control Unique User Downloads Download Rankings  
 0%
Total:586
This week:0
All time:5,248
This week:174Up