1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 5:02 pm Apr 27, 2026

Forum Moderators: coopster

Message Too Old, No Replies

shell exec iptables php

         

nickybg

9:42 am on Nov 3, 2023 (gmt 0)



Hello, I have the following problem:

<?php
$chain = shell_exec("sudo iptables -t mangle -L | grep ".strtoupper($mac));
echo "<pre>$chain</pre>";
?>

The above code does not execute.

In sudoers I have added:
www - data ALL = NOPASSWD : / usr / sbin / iptables

and yet it doesn't work.
shell_exec is enabled and some other commands are executed, but this one is not.

The commands below work:
shell_exec("iptables -h");

shell_exec("iptables -V");

In sudoers:
www-data ALL = NOPASSWD: /sbin/iptables -t mangle -A chain_name -m mac --mac-source ?\:?\:?\:?\:?\:? -j MARK --set-mark 2

$i = "sudo iptables -t mangle -A chain_name -m mac --mac-source $mac -j MARK --set-mark 2";
exec($i);

What could be the problem?

dstiles

10:04 am on Nov 4, 2023 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



I had a similar problem several months ago. My solution... 
function do_iptable($ip) {
$shellObj= \MTS\Factories::getDevices()->getLocalHost()->getShell('bash', false);
// Pass the shellObj to the following function with root credentials.
\MTS\Factories::getActions()->getRemoteUsers()->changeUser($shellObj, 'root', 'password');
// no actual return but in case future...
$rtn = $shellObj->exeCmd("/srv/phptabip $ip");
$shellObj->terminate();
return($rtn);

in websiterver root... 
#!/bin/bash
#
# add given IP to iptables Dynamic port 443 from php
# assumed incoming ip is valid format
# do not add to rules.v4

ip=$1
if [ "$ip" == "" ]; then exit
fi
/usr/sbin/iptables -I Dynamic -s $ip -p tcp --dport 443 -j DROP

There is one significant problem: It takes about 250mS for the value to get to iptables. During this period there can be several other IP hits snd there is an interaction that means the iptables inhibition does not occur until no more hits with a given ip for about 250mS. If you can overcome this I'd be grateful. :)

nickybg

2:30 pm on Nov 4, 2023 (gmt 0)



There is one way. After the user login into the system with a username and password, the IP address and MAC address are recorded in a flat file and simultaneously in iptables. A match is searched in the flat file. Matches can be searched for repeated MAC address, IP as well as for simultaneous login of the same user. If there is one, it is automatically deleted from the file and from iptables and the last entry is added.
After the user logout, the corresponding records are automatically deleted, both from the flat file and from ipitables.

dstiles

4:17 pm on Nov 4, 2023 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Sorry, this is nothing to do with logins I'm using it to block unwanted hits from hackers.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 5:02 pm Apr 27, 2026