Trying to add intranet to site, need help with IP blocking

[erikblue]

ok, so like the subject says i'm trying to add an intranet to a site i'm working on using a  php function to block out any ip addresses i dont want. In this case i want to block out anything that doesn't start with 192.168. To do this i thought that this snippet of code would do the trick, a statement checking the IP, then if it does not begin with 192.168 it would kill it. However, its definitely not working out for me. I'm sure its a simple fix, but i'm not sure where i am wrong at. Thanks in advance to anyone for their help!

if(substr($REMOTE_ADDR,0,7) != "192.168")  exit("Intranet is available to employee's only.");

[dbo]

Is this a true intranet or are you just trying to restrict it to an ip range?

 

1) The remote address variable can't be trusted.

2) You should limit access to a directory via your webserver, not PHP.

3) If it's an intranet, it should be behind a firewall where the only traffic that can get to it is local... or via some sort of VPN.

[erikblue]

Yeah I originally thought this should be done on the webserver as well. I will look into a way of doing it with apache then.  How come the remoate address variable cant be trusted? it is easily spoofed or what?

[SammyGunnz]

Though the poster above is correct...you can try the following:

 

 

<?php

  $userip = $_SERVER['REMOTE_ADDR'];

  if(!preg_match('/192.168.[0-9]+.[0-9]+/',$userip)) {
   // Redirect to error
  }

    else
    {
      // Load content
    }

?>

 

P.S Not the most secure way of doing it...just a quick fix to your need :-P

[dbo]

Here's the main idea: http://www.cyberciti.biz/faq/apache-restrict-access-based-on-ip-address-to-selected-directories/

[erikblue]

thanks alot!

[derwert]

A few things.. first $REMOTE_ADDR can't be trusted but $_SERVER['REMOTE_ADDR'] can be.

That variable is set by the web server and the web server had to go through a connection negotiation process before it was ever able to receive the request.

 

I quickly coded up this to check if the IP address accessing the script is on the same network as that which is defined in the script.

 

Routers use a similar process when checking IP addresses in order to see where to route the traffic.

 

<?php

$network = '192.168.1.0';
$subnet_mask = '255.255.255.0';

$net_octet = explode('.', $_SERVER['REMOTE_ADDR']);
$mask_octet = explode('.', $subnet_mask);

$result = '';

for ($x = 0; $x <= 3; $x++){
  $result .= bindec(decbin($net_octet[$x]) & decbin($mask_octet[$x])).($x != 3 ? '.' : '');
}

if ($network == $result){
  echo 'The computer is on the same network.';
}else{
  echo 'The computer is not on the same network.';
}

?>

[derwert]

I just realized that I put 255.255.255.0 as the subnet mask in the script, you would need to change it to 255.255.0.0 and change the network to 192.168.0.0 for it to work for the network you mentioned.