I played with this same problem a few months back - using php via apache to open and close ports in a remote firewall so I didn't have to hand out root level ssh logins to the "part time" web admins.
It was a challenge, but here's what I did... (RedHat 8, but you should be able to figure it out for whatever distro you use).
Edit your "sudoers" file. /etc/sudoers
Add this entry at the bottom:
apache ALL=NOPASSWD: /sbin/iptables
This will allow apache user to issue commands to iptables.
Then, write your php script like this...
PHP Code:
// Build the rule
$open_rule = "iptables -A TABLENAME -s 123.123.123.123 -j ACCEPT";
// Execute the rule on the system
`$open_rule`;
Each time this script is executed, you will see an entry showing what was executed in your /var/log/secure log so you can keep an eye on what's happening.
As a side note and a tip... I also include in my script a piece that will write each "open rule" to a MySQL table. Then, to reverse the rule, all I have to do is read the entry from the table, replace the "-A" with "-D" and issue the same command again, and it will delete the rule from iptables, so I can easily open, then turn around and close the remote ports easily.
I'm sure you could use the same logic to run "iptables -L" and display the current firewall configuration on a web page for the user to see also for remote management, though I've never actually tried this.
Hope that helps. Took me about 2 or 3 days to figure this out on my own.