Link to home
Create AccountLog in
Avatar of projects
projects

asked on

Can php control access to a port?

I've been searching but can't seem to find anything on this.
Can php directly control a tcp port and allow/deny access to it?

Basically, the idea is to have a php function which allows only curl authenticated connections to run a test against the iperf service on the server.

I guess I could allow the client by having php allow it's IP for the connection to the port using iptables but I am hoping there might be a simpler way where php could control access to the port or the service based on the client being authenticated.
SOLUTION
Avatar of Ray Paseur
Ray Paseur
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of Dave Baldwin
I don't believe it can.  That is a function of the operating system.  The networking software and 'iptables' are encountered long before any PHP code is run.  PHP gets it's request after all of that is done.
Avatar of projects
projects

ASKER

All of my app is based on curl authentication which means at least I could let php know I am authorized to use such and such.

What ever the solution is, it needs to control that port or service right?
@Dave;

>The networking software and 'iptables' are encountered long before any PHP code is run.  
>PHP gets it's request after all of that is done.

Yes but once a client is authenticated, anything could be changed. Its IP could be allowed in iptables and reloaded very quickly.

However, I would want something where the port is always fully open but where php controls access to it.
Thing is, as mentioned before, that implies that php would have to somehow have full control of that port.
ASKER CERTIFIED SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
You're right about not giving php root access but I would not do that.
That's why I'm here looking for ideas by posting :)
Why are you trying to use PHP?  I have no idea what a 'curl authenticated connection' is.  Do you have your own server to run this on?

Since iperf must run on both ends of the connection, SSH sounds like an alternative to me.  The problem there is restricting access to run iperf.
Php is in the mix because the clients are connecting using authenticated curl to php .
Yes, it's running on my own server.
Using ssh or iperf on the clients, I'm not sure how that restricts access to the clients only. As you mention, that is in fact the question. Trying to find a way of allowing only authenticated clients to run iperf.
You have to use iperf on the clients because that is the client side of the test.  iperf on the client (in client mode) connects to iperf on the server (in server mode) to run the tests.  http://openmaniak.com/iperf.php
I was looking to set up iperf on my systems here and ran into iperf2 and iperf3.  While iperf3 is the most current version, GitHub says that Windows is not yet supported in iperf3.  Iperf2 is supported for both Linux and Windows and Mac so maybe I'll try that.
I installed iperf2 on a Linux box and on this Windows machine.  I used the Linux box as the server and this machine as the client.  In the most basic test, it tells me that I have 80.3 Mbits/sec connection.
Yes, the clients ARE acting as the clients, using -c.
Yes, the whole thing is using Linux. I fear MS anything what so ever.

The tests run just fine but the problem is needing to block public, allowing only my own devices.

The question is how to protect iperf from being abused, allowing only my own authenticated devices to use iperf. The clients (devices) are my own out in the field which need to connect to my server to run their test.

I do not know their IP's BUT php does when the client authenticates for access. I could use that information to quickly allow that IP over iptables for example but since I could have hundreds of devices connecting at the same time, that might not work very well. I don't know if iptables can use an external list of IP's for example, that could work.

Anyhow, looking to cobble something together which will allow only my own devices to use iperf.
@Ray;

I don't see anything for remote_port in the link you sent me. I also can't find anything about that searching the net, other than finding the remote port of an incoming connection.
In the end, giving php access to controlling iptables is a bad idea, which is a good point. I have found another way of doing this so no need to get weird with php :)