Linux Firewall: Executing Iprules Using PHP

Zozzu-securing-network-serverA firewall keeps the network secure by analysing packets and determining whether they should be allowed through or not. This article shows how to manipulate Iprules using PHP scripts.

Linux has its own firewall that contains iptables that perform packet filtering and set up masquerading. Iptables is a user space command line program. It stores the set of iprules and ipchains to configure the Linux firewall. Ipchains is a set of commands stored in the iptables space.
Now let’s look at a simple iprule, which demonstrates how to stop an incoming echo request. To do so, the following iprule is used: iptables –I INPUT –p icmp –icmp-type echo-request –j DROP. In the above iprule, -I parameter indicates the insert rule at the beginning in ipchain, -p parameter indicates protocol, while –icmp-type parameter has two possible values: echo-request and echo-reply. Since you want to stop incoming ping requests, echo-request is chosen; the -j parameter indicates a jump to a specified target when the packet matches the rule. For more details about iptables and iprules, go to the link indicated in reference [1]. After executing the above rule, the machine does not take requests from other machines in the network.
To reduce the burden of remembering various iprules, you can have a GUI that takes only parameter values according to packet processing by the firewall, form a rule and execute it by PHP. But the PHP page will be executed by a Web server, so the Web server must have sudo powers to make changes in iptables by executing PHP scripts. This article shows you how to give sudo power to the Apache Web server, the changes required and how to execute them. In the boot folder, the kernel configuration file is required to be changed. The CONFIG_NETFILTERING option is used when the computer works as a firewall or router.
If CONFIG_NETFILTERING is commented then uncomment it and set the value of CONFIG_NETFILTERING=Y. If the CONFIG_NETFILTERING attribute is missing then add it and compile the kernel by executing the following three commands:

make
make_modules
make install

Disable se-linux firewall and another firewall.
Open the visudo file and make Apache (the Web server used to execute PHP scripts) a sudo user: Apache ALL = (apache) NOPASSWD: ALL, (root) /sbin/iptable
In the example given below, the user interface shown in Figure 1 takes parameter values from the user and passes them to the PHP page. The code given below shows how to execute iprule in iptables:

<?php

$id = $_POST['ruleid']; //rule no.
$op1 = $_POST['s']; //chain option in case of filtering
$op2 = $_POST['s1']; // chain option in case of NAT
$tab = $_POST['table']; //filtering or NAT

echo "<pre>";

if($tab == "filter")
{
$cont  = "sudo iptables -D $op1 $id";
shell_exec($cont);
print "<script>alert('Rule $id from $op1 is deleted');</script>";
include("deleterule.php");
exit();
}
else
{
$cont = "sudo iptables -t nat -D $op2 $id";
shell_exec($cont);
print "<script>alert('Rule $id from $op2 is deleted');</script>";
include("deleterule.php");
exit();
}

?>

<a href="http://www.opensourceforu.com/wp-content/uploads/2013/12/Figure-16.jpg"><img class="alignleft size-full wp-image-13229" alt="Figure-1" src="http://www.opensourceforu.com/wp-content/uploads/2013/12/Figure-16.jpg" width="583" height="373" /></a>

$_POST is an associative array used to get the form field’s value if the form data is transferred via the post method. To execute a formed string (iprule) on the basis of entered parameter values, the shell_exec() function is used. The above code is used to delete a specific input chain rule, an output chain rule or forward chain rule by filtering and pre-routing or post-routing the chain rule from NAT by giving a rule number.

References
[1]     http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables#.UVGokheovX9
[2]  http://www.php.net/manual/en/

 

All published articles are released under Creative Commons Attribution-NonCommercial 3.0 Unported License, unless otherwise noted.
Open Source For You is powered by WordPress, which gladly sits on top of a CentOS-based LEMP stack.

Creative Commons License.