php and iptables using APACHE

Richtown · 04-21-2006, 03:36 AM

Hi all,

Running Apache 2, i have a php webpage and i want to be able to enter in 192.168.1.1 in a field press a submit button. Then when i press it i want to be able to ALLOW or BLOCK the ipaddress using iptables.

The command in php would be:

<?php
echo exec("iptables -I INPUT -s $allow_ip_address -j DROP");
echo ecec("ping -c 5 $ allow_ip_address");
?>

this doesnt seem to work tho, no matter what command i type in -D -I -A it will still ping to the string declaired

does it need to be saved to the original iptables.conf file for implementation to take place?

Kind Regards
Rich

Agrouf · 04-21-2006, 09:39 AM

Does the apache server have root privileges? Because I believe you need to be root for iptables inserts.

Richtown · 04-21-2006, 09:49 AM

I am the root user + i have changed the sudoers file to inlcude the following lines:

Cmnd_Alias IPTABLES=/sbin/iptables

# user privilege specification
root ALL=(ALL) ALL
apache ALL=NOPASSWD: IPTABLES
nobody ALL=NOPASSWD: IPTABLES

This solves the authentication problem, the php page runs fine with no errors. It just doesnt seem to do anything. I'm not sure if the PHP page has to be saved to iptables.conf for the rule to apply.

Agrouf · 04-21-2006, 09:59 AM

Quote:

Originally Posted by Richtown

I'm not sure if the PHP page has to be saved to iptables.conf for the rule to apply.

I don't think so. php is supposed to call the command exactly like bash does, isn't it? In bash, you type the iptables command and it is effective straight. And iptables.conf is just a set of rules which are inserted with the iptables command anyway.
I still don't know what is wrong though.

UK MAdMaN · 04-21-2006, 10:01 AM

Quote:

Originally Posted by Richtown

I am the root user

It doesn't matter what you're running as. Apache runs as it's own user, and if it doesn't have root access, no changes made will be saved.

Richtown · 04-21-2006, 10:08 AM

It's really strange, all my other commands work in php, like display the time/date . . .etc. yeah your rite it's only a rule and doesnt need to be saved anywhere. I know it's taking the string in as my code displays it before the iptables command. Any suggestions for troubleshooting im stumpt?

Agrouf · 04-21-2006, 10:08 AM

Did you try the command in bash and see if it works like that?

Richtown · 04-21-2006, 10:10 AM

Quote:

Cmnd_Alias IPTABLES=/sbin/iptables

# user privilege specification
root ALL=(ALL) ALL
apache ALL=NOPASSWD: IPTABLES
nobody ALL=NOPASSWD: IPTABLES

ok, but i have still edited this file and it should resolve this? but then again i'm not to sure.

Agrouf · 04-21-2006, 10:13 AM

add a sudo before iptables.

Richtown · 04-21-2006, 10:13 AM

The command works fine in the Terminal, i can block an ip and allow an ip with the above code. No matter what i do in php the ip is always allowed.

Richtown · 04-21-2006, 10:19 AM

Could u explain in "newbie" terms. sorry uve kind of lost me.

Agrouf · 04-21-2006, 10:22 AM

try this :

<?php
echo exec("sudo iptables -I INPUT 1 -s $allow_ip_address -j DROP");
echo exec("ping -c 5 $allow_ip_address");
?>

Richtown · 04-21-2006, 10:34 AM

still no luck: this is the output i get.

192.168.1.1
rtt min/avg/max/mdev = 0.632/0.672/0.822/0.075 ms

The ip address can still be pinged.

Agrouf · 04-22-2006, 06:51 AM

weird.
Tryed to use the system instead of exec?