PHP Classes

File: README

Recommend this page to a friend!
  Classes of giuseppe lucarelli   phphilter   README   Download  
File: README
Role: Documentation
Content type: text/plain
Description: documentation file
Class: phphilter
Grant access to remote users using iptables
Author: By
Last change: changed user access
Date: 14 years ago
Size: 3,276 bytes
 

Contents

Class file image Download
PhPhilter grant access to remote server/port via iptables packet filtering ========================================== Version 0.1 (June 2009) This class can allow or deny access to a specific port via *nix 'iptables' command. I developed this class because i have an application running under tomcat on port 9521, and there is no way for me to use an apache 'htaccess' method to manage accesses to this port. With this script i have created a web page redirecting browser requests to tomcat server. For all granted access, will be inserted in my firewall list a rule with port 9521 access. User can be enabled with user/password or by ip. Installation: - copy class.phphilter.php and auth.php scripts to a web accessible folder. - change auth.php redirect url to your application. Rename auth.php to index.php if you like. - enable apache user to use 'iptables' with sudo and without password request, editing /etc/sudoers and adding a row with: wwwrun ALL= PASSWD:ALL, NOPASSWD: /usr/sbin/iptables be aware that apache user could be different from 'wwwrun' and 'iptables' pathname could be different too. - Edit class.phpfilter.php and adjust some values: _IPTABLES check if 'sudo' and 'iptables' commands need to be changed _CHAIN firewall CHAIN (default 'INPUT') _PORT set to port value _HOST_ALLOW insert all fix ip values with granted access without user/password request, comma separated. you can put here a simple ip value or ip range (ie. '195.110.135.42' or '195.110.135.128/25') _HOST_DENY insert all ip you deny access, in the same way of _HOST_ALLOW $passwd all user/password values - configure your firewall inserting a rule like this: iptables -A INPUT -p tcp --dport 9521 -j DROP so at next reboot all accesses to this port will be denied until users will authenticate themselves, where 'INPUT' is the same value of '_CHAIN' class field and '9521' is the same value of '_PORT' class field. example: my initial firewall INPUT chain situation: admin@linux-peppe:~> sudo /usr/sbin/iptables -L INPUT -n Chain INPUT (policy ACCEPT) target prot opt source destination DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9521 after first access from authorized/authenticated user with ip 127.0.0.1 (localhost): admin@linux-peppe:~> sudo /usr/sbin/iptables -L INPUT -n Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 127.0.0.1 0.0.0.0/0 tcp dpt:9521 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9521 after second access from authorized/authenticated user with ip 10.98.61.138: admin@linux-peppe:~> sudo /usr/sbin/iptables -L INPUT -n Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 10.98.61.138 0.0.0.0/0 tcp dpt:9521 ACCEPT tcp -- 127.0.0.1 0.0.0.0/0 tcp dpt:9521 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9521 and so on. Download: http://www.phpclasses.org Giuseppe Lucarelli giu.lucarelli@gmail.com Enjoy!