Download the PHP package afsharsafavi/firewall_cidr without Composer
On this page you can find all versions of the php package afsharsafavi/firewall_cidr. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
FAQ
Example:
In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
- Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
- To use Composer is sometimes complicated. Especially for beginners.
- Composer needs much resources. Sometimes they are not available on a simple webspace.
- If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
- Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Informations about the package firewall_cidr
Firewall CIDR
This PHP project helps system administrators to minimize attacks to their services by limiting access of public ports to a specific country CIDR or even ISP. Currently it generates IPTables rules and Mikrotik access lists. Also You can receive the raw format of CIDR of your proposed country of ISP to use them in unsupported firewalls or other programs.
Consider you have a SSH server that is under attack. And you don't have a static IP address on your side to block All IP except your whitelist (your static IP addresses). Also you need access to this server with your phone hotspot. With this project you can generate rules for your firewall to allow access to that port 22 (or something else) only for your country IP ranges or even your ISP and carrier IP ranges.
Another example is IP PBX like Asterisk or Issabel. Sometimes you need to allow your users to access your PBX by their cell phone sim cards in a specific country. You can find out your country operators IP ranges and add them to your whitelist, and block elsewhere.
Run by Docker
or
Installation
Dependency: You need only PHP CLI version 8.2 and php-curl extention
For Ubuntu
For RHEL and CentOS:
Next you need to fill configuration.json file by the documentation in the Example folder and run examples:
or by composer
To run
At first, it downloads all CIDR related to your selected country.
Then find out whois information about each CIDR. (It may take too long).
Finally it will generate rules or access lists depending on your written configuration. (take a look
at configuration.json in Examples folder)
Documentation
CIDR_Lookup::setConfig() static method accept a json array with below specification. After that it need only run CIDR_Lookup::run()
Main configuration
| Name | Required | Description |
|---|---|---|
| Country Code | yes | Country Codes (Alpha-2 codes) |
| ISP Label | optional | See section ISP Labels |
| data_valid_days | optional | Lockup and CIDR data won't reload every time during this period (default: 14 dyas) |
| CIDR_Lookup_Drivers | yes | See section ISP Lookup Dirvers |
| proxy | optional | To decrease blocking by lookup drivers, see section Proxy |
| custom_CIDR_data | optional | See section custom CIDR data |
| firewalls | yes | See section firewalls |
ISP Labels
For finding your needed ISP IP ranges, you should give me your ISP label. Each ISP or orginization CIDR can have multiple label and you can give me an array for each ISP. Forexample, ITC ISP of Iran have 2 CIDR label for ADSL and Mobile ranges. You can pass it by this array:
You can specify different ISP label at top (this section) and for each firewall config, only use their labels. If you don't specify ISP labels, I will return whole CIDR ranges for your selected country. You can findout this label by getting Whois of some sample of your target ISP. For proximity, you can run project once by specify only your country code. then findout exact label from this path:
src/Data/{Country Code}_CIDR_Data
After running this project, above path will have all CIDR label. Depend on number of your country CIDR ranges, running this, may takes long time.
ISP Lookup Dirvers
To findout label of each CIDR ranges, I use different services. They are in src/class/CIDR_Lookup_Drivers.
You can write your customer drivers and pass it's name to this section as an array.
System can accept multiple diver (recommended) and use them in your given order in array.
Sometime drivers return errors or null or maybe ban your IP (for rate limiting of their free services). In that cases, I will use next drivers.
✨Giving more socks5 proxy, can help decreasing ban ratio.
Proxy
To find out CIDR labels, we use different free whois services. If your selected country has lots of CIDR ranges, you will be banned for huge amounts of requests to their API endpoints. The best solution at this time is giving me different socks5 proxy. It can leverage requests on different IP addresses to decrease the ratio of ban.
I recommend to provide at least 3 socks5 proxy.
Custom CIDR data
Sometimes some CIDRs have wrong whois data or thier whois data like country code are wrong. You can add your custom CIDR to configuration. I will consider them when I want to create firewall rules.
It can be an array of CIDRs with this format:
Firewall
At this Time I support IPTables and Mikrotik.
I generate "accept rules" for iptables and address lists for Mikrotik devices. You can use those address lists in many places in Mikrotik winbox.
You can pass as much firewall configuration as you need. I will generate their rules and put each firewall rule in a
file in the src/Output/ folder separately.
Firewall fields accept Arrays of firewalls. Each array node structure should follow this rules:
| Name | Required | Description |
|---|---|---|
| Type | yes | "iptables" or "mikrotik", "raw" |
| ISP | yes | Array of your Required ISP or empty for whole CIDR of country * |
| tcp | optional (for IPTables) | See IPTables section |
| udp | optional (for IPTables) | See IPTables section |
| comment | optional (for Mikrotik) | See Mikrotik section |
| label | optional (for Mikrotik) | See Mikrotik section |
IPTables
You can specify TCP or UDP port(s) and port ranges. I will write "accept rules" for them. TCP and UDP ports can be a single port number (like 22 for SSH) or ranges or combination of them. For example for PBX you can have this array:
Mikrotik
For Mikrotik devices, I will write address lists depending on your configuration.
If you specify ISP, that address list will be included only your selected ISP CIDRs. Otherwise, that address list will include your selected country CIDRs.
Also you can set comment to fill the comment field in the address list in Mikrotik. (optional)
If you write label field, rules will write with your custom label, otherwise, label field will be write
as CIDR_{country code} for when you want to whole country CIDRs and CIDR_{country code}_custom for when you specify
your purpose ISPs.
Raw
In Raw type, I will write only CIDR address for you to use them in unsupported firewall or any programs that accept CIDR address. If it's needed you can add some codes,prefix and/or postfix to CIDR list to use them depend on your needs.
DISCLAIMER
This project collect countries CIDR and whois data from third-party services that there is no 100% guarantee on data accuracy. Before applying generated rules from this project, you should double check data and rules and also know care about your firewall strategy and concerns.
License
