Raspberry Pi IPv6 firewall tester landingpage

From timswiki
Jump to: navigation, search

An example PHP landing page for the Raspberry Pi IPv6 firewall tester.

Don't forget to update the $EMAIL_mine and $HOST_mine variables to reflect your settings.


  <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
  <HEAD>
  <TITLE>Pi Powered IPv6 Firewall Tester</TITLE>
  <META HTTP-EQUIV="Content-Type" content="text/html; charset=ISO-8859-1">
  <META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-STORE, NO-CACHE, MUST-REVALIDATE, MAX-AGE=0">
  <META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
  <META NAME="en" CONTENT="language">
  <META NAME="en" HTTP-EQUIV="content-language">
  <META NAME="AUTHOR" CONTENT="Tim Chappell">
  <META NAME="COPYRIGHT" CONTENT="© 2011-2012 Tim Chappell">
  <META NAME="description" CONTENT="This Raspberry Pi Powered IPv6 firewall tester, checks your host using an IPv6 ping and a scan of multiple user-selectable IPv6 TCP/IP ports.">
  <META NAME="keywords" CONTENT="Raspberry Pi Powered IPv6 Firewall tester port scan TCP/IP ICMPv6 echo-request ping response checker scanner port-tester internet security">
  </head>
  <body>
  <H1>Pi Powered IPv6 Port Scanner (Firewall Tester)</H1>
  <P>Welcome to my <A href="http://www.raspberrypi.org/" target="_blank">Raspberry Pi</A> powered <A href="https://github.com/timsgit/ipscan" target="_blank">open source</A> IPv6 Port Scanner and IPv6 Ping Response tester. This free-access IPv6 portscan service supports testing of multiple TCP ports on any internet-connected host with an IPv6 global unicast address (2000::/3), irrespective of your IPv6 provider or device operating system.</P>
  <H3 style="color:red">Please read these important conditions of usage before continuing!</H3>
  <ol><li>This utility is provided as a convenience, and was developed in order to test my own IPv6 firewall - I make no claims as to its' efficacy or correctness. Do NOT rely on this tool. If you want to be certain that your IPv6 firewall is operating correctly then please use a professional penetration testing (pentest) tool.</li><li>The test will attempt to connect to the set of TCP ports that you define, targetting the IPv6 address that my webserver determines your web page request originated from.</li><li>Please verify that the IPv6 address reported below is that of the machine you intend to test, and that you are authorised to perform such a test, prior to beginning the test.</li>  <li>IMPORTANT: Please do NOT attempt to test machines that are hidden behind HTTP proxies, unless you also administer the proxy and intend that machine to be tested.</li></ol>
  <P>If you don't currently have an IPv6 connected host then try a tunnel broker like <A href="http://tunnelbroker.net" target="_blank">HE</A> or <A href="http://www.sixxs.net" target="_blank">SixXS</A>.</P>
  <HR>
  <?php
  function validip4($address)
  {
        return (filter_var($address, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4) !== false);
  }
  function validip6($address)
  {
        return (filter_var($address, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6) !== false);
  }
  function validip($address)
  {
        return ( validip4($address) || validip6($address) );
  }
  
  // Check whether the IP address is good
  $IP_is_good = -2;
  $IP_address = 'TJCunknaddr';
  $IP_proxy4 = 'TJCnoproxy';
  // Include [ and ] for direct IPv6 addresses, but NOT for names
  // $HOST_mine = '[2001:470:1f08:185c::2]';
  $EMAIL_mine = 'webmaster@chappell-family.com';
  $HOST_mine = 'pi.ipv6.chappell-family.com';
  $PROXY_HEADERS = array(
        'CLIENT_IP',
        'FORWARDED',
        'FORWARDED_FOR',
        'FORWARDED_FOR_IP',
        'HTTP_CLIENT_IP',
        'HTTP_FORWARDED',
        'HTTP_FORWARDED_FOR',
        'HTTP_FORWARDED_FOR_IP',
        'HTTP_PC_REMOTE_ADDR',
        'HTTP_PROXY_CONNECTION',
        'HTTP_VIA',
        'HTTP_X_FORWARDED',
        'HTTP_X_FORWARDED_FOR',
        'HTTP_X_FORWARDED_FOR_IP',
        'HTTP_X_IMFORWARDS',
        'HTTP_X_BLUECOAT_VIA',
        'HTTP_XROXY_CONNECTION',
        'VIA',
        'X_FORWARDED',
        'X_FORWARDED_FOR'
        );
  $BAD_VALUE = -20;
  foreach ($PROXY_HEADERS as $HEADER)
  {
        if ($IP_is_good === -2 && isset($_SERVER[$HEADER]) === true )
        {
                $IP_proxy4 = $_SERVER[$HEADER];
                $IP_is_good = $BAD_VALUE;
                printf("<p style=\"color:red;font-size:110%%\">Unfortunately the presence of an %s header suggests that your machine is located behind an HTTP PROXY: \"%s\"</p>", $HEADER, $IP_proxy4);
        }
        $BAD_VALUE -= 1;
  }
  
  if (isset($_SERVER['REMOTE_ADDR']) === true)
  {
        $IP_address = $_SERVER['REMOTE_ADDR'];
        if ( $IP_is_good === -2 && validip($IP_address) === true )
        {
                $IP_is_good = 1;
        }
  }
  else
  {
        // Didn't find the REMOTE_ADDR variable I expected, so ...
        $IP_is_good = -1;
  }
  
  // If we had a valid IP address, then check that it is IPv6
  if ($IP_is_good === 1)
  {
        if (validip6($IP_address) === true)
        {
                // Global addresses begin 2000::/3, i.e. 2xxx or 3xxx
                if (strncmp($IP_address,"2",1) == 0 || strncmp($IP_address,"3",1) ==0)
                {
                        $IP_is_good = 1;
                }
                else
                {
                        printf("<p style=\"color:red;font-size:110%%\">Unfortunately your IPv6 address is not global unicast (2000::/3) : %s</p>", $IP_address);
                        $IP_is_good = -66;
                }
        }
  
  }
  
  // Main reporting point
  if ($IP_is_good === 1)
  {
        if (validip4($IP_address) === true)
        {
                printf("<p style=\"color:red;font-size:110%%\">Your HTTP headers suggest that your machine is not behind a proxy, but the request for this page was made using an IPv4 address and so your machine cannot be tested : <b>%s</b></p>", $IP_address);
                printf("<p style=\"color:red;font-size:110%%\">Your machine may have accessed this page using IPv4 if your DNS configuration is broken or your browser or DNS service does not correctly prioritise IPv6. If you believe that you do have an IPv6 host with a global unicast address (2000::/3) then you may click on this <A href=\"http://%s/\" target=\"_blank\">IPv6-only link</A> to try again.</p>", $HOST_mine);
                $IP_is_good = -4;
        }
        elseif (validip6($IP_address) === true)
        {
                printf("<p style=\"font-size:110%%\">Your IP address appears to be valid IPv6 : <B>%s</B></p>", $IP_address);
        }
        else
        {
                printf("<p style=\"color:red\">Sorry but I am unsure what to make of your HTTP headers and IP address : <b>%s</b></p>", $IP_address);
                $IP_is_good = -7;
        }
  }
  else
  {
        printf("<p style=\"color:red;font-size:110%%\">Your IP address and/or HTTP headers suggest that your machine is unsuitable for IPv6 port scanning : %s, reason code %d.</p>", $IP_address, $IP_is_good);
  }
  
  // Offer the link
  if ($IP_is_good === 1)
  {
        printf("<p style=\"font-size:110%%\">If you have verified that the address above is YOUR IPv6 address, and can agree to the conditions of usage outlined above, then please click on one of the following links to test your machine:</P><ol style=\"font-size:110%%\"><li><A href=\"http://%s/cgi-bin6/ipscan-js.cgi\" target=\"_blank\" style=\"color:red\">Original IPv6 firewall scanner</A> (requires Javascript to be enabled on your browser, but gives ongoing updates as the test progresses)</li><li><A href=\"http://%s/cgi-bin6/ipscan-txt.cgi\" target=\"_blank\" style=\"color:red\">Lightweight IPv6 firewall scanner</A> (compatible with text-only browsers, such as Lynx or w3m, but takes up to 15s to return a result)</li></ol>",$HOST_mine,$HOST_mine);
  }
  else
  {
        printf("<p style=\"font-size:110%%\">Please return when you have a valid IPv6 address to test.");
        printf(" If you believe this result to be in error, OR you would like to test a proxy host, then please <A style=\"font-weight:bold\" href=\"mailto:%s?subject=IP:%s,%%20RC:%d\">email me.</A></P>",$EMAIL_mine,$IP_address,$IP_is_good);
  }
  ?>
  <HR>
  </body>
  </html>



This website publishes a Privacy Policy. Continued use of this website implies your consent to the use of data outlined in the policy.