If you sell additional IPs to your users, so they could connect to remote servers from your hosting server using their dedicated IP as a source IP, you might want (or even need) to protect it from hijacking by other customers of yours. So nobody else could use it.
Use CURLOPT_INTERFACE with the name of the outgoing network interface to use. This can be an interface name, an IP address or a host name.
curl_setopt($ch, CURLOPT_INTERFACE, $ip);
http://www.php.net/manual/en/function.curl-setopt.php
Use socket_bind which binds a name to a socket
// Bind the source address
socket_bind($sock, $sourceips['madcoder']);
http://www.php.net/manual/en/function.socket-bind.php
You'll need ipt_owner loaded into your kernel
modprobe ipt_owner
And here is a small script to use on a Directadmin powered server, which would allow to simplify writing iptables rules:
#!/bin/sh # ========================================================= # by PLUGINS-DA.NET $ Wed Aug 15 14:54:27 NOVT 2012 # ========================================================= DIR_IPS="/usr/local/directadmin/data/admin/ips"; IPTABLES_PROGRAMM=`which iptables`; IPTABLES_TARGET="OUTPUT-TO-HTTP"; DEFAULT_USER="root"; echo "# :OUTPUT-TO-HTTP - [0:0]" echo "$IPTABLES_PROGRAMM -N $IPTABLES_TARGET"; echo "$IPTABLES_PROGRAMM -A OUTPUT ! -o lo -p tcp -m state --state NEW -m tcp -m multiport --dports 80,443 -j $IPTABLES_TARGET"; for IP in `ls -1 $DIR_IPS | grep -v 127\.0`; do IP_FILE=$DIR_IPS/$IP; STATUS=`grep ^status= $IP_FILE | cut -d\= -f2`; VALUE=`grep ^value= $IP_FILE | cut -d\= -f2`; echo "# $IP status $STATUS value $VALUE"; if [ "$STATUS" == "shared" ]; then echo "$IPTABLES_PROGRAMM -A $IPTABLES_TARGET -s $IP -j ACCEPT"; elif [ "$STATUS" == "server" ]; then echo "$IPTABLES_PROGRAMM -A $IPTABLES_TARGET -s $IP -j ACCEPT"; elif [ "$STATUS" == "owned" ]; then echo "$IPTABLES_PROGRAMM -A $IPTABLES_TARGET -s $IP -m owner --uid-owner $VALUE -j ACCEPT"; else echo "$IPTABLES_PROGRAMM -A $IPTABLES_TARGET -s $IP -m owner --uid-owner $DEFAULT_USER -j ACCEPT"; fi; done; echo "# Deny and log others"; echo "$IPTABLES_PROGRAMM -A $IPTABLES_TARGET -j LOG --log-tcp-options --log-ip-options --log-uid --log-prefix \"OUTPUT IP HIJACK TO HTTP: \""; echo "$IPTABLES_PROGRAMM -A $IPTABLES_TARGET -j REJECT --reject-with icmp-host-prohibited"; exit;
As a result of running this script you should see the following iptables rules:
/sbin/iptables -A OUTPUT ! -o lo -p tcp -m state --state NEW -m tcp -m multiport --dports 80,443 -j OUTPUT-TO-HTTP # 217.bb.cc.124 status server value 2 /sbin/iptables -A OUTPUT-TO-HTTP -s 217.bb.cc.124 -j ACCEPT # 217.bb.cc.27 status shared value 133 /sbin/iptables -A OUTPUT-TO-HTTP -s 217.bb.cc.27 -j ACCEPT # 217.bb.cc.28 status owned value userbob /sbin/iptables -A OUTPUT-TO-HTTP -s 217.bb.cc.28 -m owner --uid-owner userbob -j ACCEPT # 217.bb.cc.29 status owned value userjohn /sbin/iptables -A OUTPUT-TO-HTTP -s 217.bb.cc.29 -m owner --uid-owner userjohn -j ACCEPT # 217.bb.cc.30 status shared value 44 /sbin/iptables -A OUTPUT-TO-HTTP -s 217.bb.cc.30 -j ACCEPT # 217.bb.cc.27 status free value /sbin/iptables -A OUTPUT-TO-HTTP -s 217.bb.cc.31 -m owner --uid-owner root -j ACCEPT # 217.bb.cc.28 status free value /sbin/iptables -A OUTPUT-TO-HTTP -s 217.bb.cc.32 -m owner --uid-owner root -j ACCEPT # 217.bb.cc.29 status free value /sbin/iptables -A OUTPUT-TO-HTTP -s 217.bb.cc.33 -m owner --uid-owner root -j ACCEPT # 217.bb.cc.30 status free value /sbin/iptables -A OUTPUT-TO-HTTP -s 217.bb.cc.34 -m owner --uid-owner root -j ACCEPT # Deny and log others /sbin/iptables -A OUTPUT-TO-HTTP -j LOG --log-tcp-options --log-ip-options --log-uid --log-prefix "OUTPUT IP HIJACK TO HTTP: " /sbin/iptables -A OUTPUT-TO-HTTP -j REJECT --reject-with icmp-host-prohibited
So copy the output into iptables script and you're ready to go.