Login   Register  
PHP Classes
elePHPant
Icontem

File: README

Recommend this page to a friend!
Stumble It! Stumble It! Bookmark in del.icio.us Bookmark in del.icio.us
  Classes of giuseppe lucarelli  >  phphilter  >  README  >  Download  
File: README
Role: Documentation
Content type: text/plain
Description: documentation file
Class: phphilter
Grant access to remote users using iptables
Author: By
Last change: changed user access
Date: 5 years ago
Size: 3,276 bytes
 

Contents

Class file image Download
PhPhilter

grant access to remote server/port via iptables packet filtering

==========================================

Version 0.1 (June 2009)

This class can allow or deny access to a specific port via *nix 'iptables' command.
I developed this class because i have an application running under tomcat on port 9521,
and there is no way for me to use an apache 'htaccess' method to manage accesses to this port.
With this script i have created a web page redirecting browser requests to tomcat server.
For all granted access, will be inserted in my firewall list a rule with port 9521 access.
User can be enabled with user/password or by ip.

Installation:

- copy class.phphilter.php and auth.php scripts to a web accessible folder.
- change auth.php redirect url to your application. Rename auth.php to index.php if you like.
- enable apache user to use 'iptables' with sudo and without password request,
  editing /etc/sudoers and adding a row with:

wwwrun ALL= PASSWD:ALL, NOPASSWD: /usr/sbin/iptables

be aware that apache user could be different from 'wwwrun' and 'iptables' pathname could be different too.

- Edit class.phpfilter.php and adjust some values:

_IPTABLES        check if 'sudo' and 'iptables' commands need to be changed
_CHAIN           firewall CHAIN (default 'INPUT')
_PORT            set to port value
_HOST_ALLOW      insert all fix ip values with granted access without user/password request, comma separated.
                 you can put here a simple ip value or ip range (ie. '195.110.135.42' or '195.110.135.128/25')
_HOST_DENY       insert all ip you deny access, in the same way of _HOST_ALLOW
$passwd          all user/password values

- configure your firewall inserting a rule like this:

iptables -A INPUT -p tcp --dport 9521 -j DROP

   so at next reboot all accesses to this port will be denied until users will authenticate themselves,
   where 'INPUT' is the same value of '_CHAIN' class field and '9521' is the same value of '_PORT' class field.




example:

my initial firewall INPUT chain situation:

admin@linux-peppe:~> sudo /usr/sbin/iptables -L INPUT -n

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:9521



after first access from authorized/authenticated user with ip 127.0.0.1 (localhost):

admin@linux-peppe:~> sudo /usr/sbin/iptables -L INPUT -n

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  127.0.0.1            0.0.0.0/0           tcp dpt:9521
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:9521



after second access from authorized/authenticated user with ip 10.98.61.138:

admin@linux-peppe:~> sudo /usr/sbin/iptables -L INPUT -n

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  10.98.61.138         0.0.0.0/0           tcp dpt:9521
ACCEPT     tcp  --  127.0.0.1            0.0.0.0/0           tcp dpt:9521
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:9521

and so on.



Download: http://www.phpclasses.org

Giuseppe Lucarelli
giu.lucarelli@gmail.com


Enjoy!