Support » Plugin: NinjaFirewall (WP Edition) - Advanced Security » Can I include IPs using CIDR notation in htninja?

  • Resolved lucabarelli

    (@lucabarelli)


    As per title, is it possible to include IP blocks using CIDR notation (tried it and doesn’t throw exceptions) and will NFW follow these rules?
    Thanks!

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Author nintechnet

    (@nintechnet)

    Hi,

    You will need to add your own code to check if the visitor’s IP matches the CIDR and then, if it does, to return ‘BLOCK’ (which will instruct the firewall to block the visitor).

    PHP website has a sample of such a code: http://php.net/manual/en/ref.network.php#74656

    Thank you for your quick reply!
    Your firewall looks great but I’ve tried to include my IP in the BLOCK list in htninja and still I can access my blog without receiving an 403 error. Below some of my code (“xxx” stands for removed info):

    define('NFW_ALLOWED_ADMIN', 'xxx');
    if (! empty($_SERVER["HTTP_CF_CONNECTING_IP"]) &&
       filter_var($_SERVER["HTTP_CF_CONNECTING_IP"], FILTER_VALIDATE_IP) ) {
    	$_SERVER["REMOTE_ADDR"] = $_SERVER["HTTP_CF_CONNECTING_IP"];}
    
    $ip_array = array('x.x.x', 'x.x.x/12', 'x.x.x/13', 'x.x.x/14', 'x.x.x/15', 'x.x.x/16', 'x.x.x/17', 'x.x.x/20', 'x.x.x/21', 'x.x.x/22', 'x.x.x/23');
    if ( in_array( $_SERVER["REMOTE_ADDR"], $ip_array ) ) {
    	return 'ALLOW'; // whitelist
    }

    Same thing for ‘BLOCK’, with IPv6s instead of CIDR.
    What I’ve done wrong?

    Thank you in advance for any support you’d provide.

    Plugin Author nintechnet

    (@nintechnet)

    This code will manage single IPs and CIDR separately and will block the user if his/her IP matches either list:

    <?php 
    
    define('NFW_ALLOWED_ADMIN', 'xxx');
    
    if (! empty($_SERVER["HTTP_CF_CONNECTING_IP"]) &&
       filter_var($_SERVER["HTTP_CF_CONNECTING_IP"], FILTER_VALIDATE_IP) ) {
       $_SERVER["REMOTE_ADDR"] = $_SERVER["HTTP_CF_CONNECTING_IP"];
    }
    
    // =======================================================
    // Single IPv4 and IPv6:
    $ip_array = array( '1.2.3.4', '2.3.4.5', '2001:4998:c:a06::2:4008' );
    if ( in_array( $_SERVER["REMOTE_ADDR"], $ip_array ) ) {
       // Block it:
       return 'BLOCK';
    }
    
    // =======================================================
    // CIDR (IPv4 **only**):
    $cidr_array = array('1.1.1.1/12', '2.2.2.2/13', '3.3.3.3/14');
    // Loop through the array:
    foreach ( $cidr_array as $cidr ) {
       // Check IP vs CIDR:
       if ( ipCIDRCheck( $_SERVER['REMOTE_ADDR'], $cidr ) ) {
          // IP matches, block it:
          return 'BLOCK';
       }
    }
    function ipCIDRCheck( $IP, $CIDR ) {
       list ( $subnet, $bits ) = explode( '/', $CIDR );
       $ip = ip2long( $IP );
       $subnet = ip2long( $subnet );
       $mask = -1 << ( 32 - $bits );
       $subnet &= $mask;
       return ( $ip & $mask ) == $subnet;
    }
    // =======================================================

    As stated on its PHP page (http://php.net/manual/en/function.ip2long.php), the ip2long() function deals only with IPv4.

    THANK YOU!!!
    Have just made a review about your plugin and gonna set it right away.
    May I suggest you to include these info in your website on your FAQ? It’s not easy to have these knowledge out of the box.
    Have a great day!

    Sorry, just a final question.
    So if I make any error in htninja config, then it won’t properly load?
    Thank you

    Plugin Author nintechnet

    (@nintechnet)

    I will add to the online documentation a link to this thread.

    The .htninja file is a PHP script. If you made a syntax error, PHP would throw an error just like it would do with any PHP scripts.

    Thank you again and sorry for the late reply!

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Can I include IPs using CIDR notation in htninja?’ is closed to new replies.