Problem with routing to website and PHP REMOTE_ADDR variable

This may take a while for me to explain thoroughly enough for everyone
to understand it, so please bear with me.

I am running a website, we'll call it "spockrules.com". I have the
entire site programmed in PHP, and it works pretty well, if I do say
so myself. Lately, I have been receiving some unwelcome hits, however.
See, I have my page setup so that people can post comments to it. When
people post comments, they appear on the page immediately (I moderate
the comments and take down ones later that I think are inappropriate).
Lately, some people have been posting some rather... rude... comments
to my site. The nice thing is, I log every IP address that hits my
site using the $_SERVER['REMOTE_ADDR'] variable, so I can tell who
posted the rude comments as well as see everyone's IP who views my
site.

Well, I decided to keep these people away, I would filter the two or
three IP addresses that were causing me trouble using a PHP script. I
would setup a more advanced firewall only I have no access to root on
this server (it is hosted by another company). So what I did is put an
if statement into my code like this:

if($_SERVER['REMOTE_ADDR']=='999.999.999.999')
{
Redirect the user to http://slashdot.org without loading my page
}
else
{
Load my page
}

Where 999.999.999.999 is the attacker's IP. Now I realize this isn't
even close to a solid solution, but I figured it would make it enough
of an inconvenience for these people to get around that they would
leave me alone. Instead, they somehow figured out how to post from a
new IP address - an IP address that is very very unusual...

Somehow they are posting from an address, we'll call it 65.X.X.X (not
its real address, the real IP resolves to somewhere in the largest
nearby city, Cedar Rapids, IA), and viewing my site from this address.
Now, I figure, oh well, I'll add that IP to my block list...

Only problem, when I block that 65.X.X.X address and then *I* try to
access the site, I get blocked and redirected to slashdot! No, the
65.X.X.X address is NOT mine, mine starts with 128.X.X.X. When I run a
traceroute from my IP to my server, I find that there are a few hops
on my route that are very similar in address to the 65.X.X.X IP -
likely routers downstream from my ISP, though none of the IP's are
EXACTLY that 65.X.X.X. My question - why is it when I return the
"$_SERVER['REMOTE_ADDR']" variable within PHP, my IP shows up
(128.X.X.X) but when I try to access the site using my "filtering
method" - just a simple if statement using that EXACT same variable
and comparing it to 65.X.X.X, the program thinks it has a match? What
in the world is going on? I thought the $_SERVER['REMOTE_ADDR']
variable only returned the remote host's end IP, not the addresses of
routers in-between.

On top of this, I have attempted to connect to my site from other
ISP's and other connections around the city - I always get redirected
to slashdot.org (like I'm coming from the 65.X.X.X address) regardless
of where I connect from. Thanks for your help and for reading about my
rather lengthy and complicated problem.

I don't know a whole lot about PHP, but I do about debugging. And you
may have tried these, but I'm gonna offer my 2c worth anyway.

Print out the values of your $_SERVER['REMOTE_ADDR']. Have your script
write them to a file only you know about and can pull up on the web.
Take a look at what it's actually pulling.

Print out the two values you're trying to compare and see if they do
match. Again, writing to a file you can pull up may be helpful.

Make sure you're not blocking a broadcast or multi-cast address.

Make sure you're blocking a valid external address. (Not the 10.x.x.x,
172.16.x.x and 192.168.x.x)

Make sure you're using the redirect command correctly.

Hope that helps a bit.

Paul

KJ wrote:
> This may take a while for me to explain thoroughly enough for everyone
> to understand it, so please bear with me.
>
> I am running a website, we'll call it "spockrules.com". I have the
> entire site programmed in PHP, and it works pretty well, if I do say
> so myself. Lately, I have been receiving some unwelcome hits, however.
> See, I have my page setup so that people can post comments to it. When
> people post comments, they appear on the page immediately (I moderate
> the comments and take down ones later that I think are inappropriate).
> Lately, some people have been posting some rather... rude... comments
> to my site. The nice thing is, I log every IP address that hits my
> site using the $_SERVER['REMOTE_ADDR'] variable, so I can tell who
> posted the rude comments as well as see everyone's IP who views my
> site.
>
> Well, I decided to keep these people away, I would filter the two or
> three IP addresses that were causing me trouble using a PHP script. I
> would setup a more advanced firewall only I have no access to root on
> this server (it is hosted by another company). So what I did is put an
> if statement into my code like this:
>
> if($_SERVER['REMOTE_ADDR']=='999.999.999.999')
> {
> Redirect the user to http://slashdot.org without loading my page
> }
> else
> {
> Load my page
> }
>
> Where 999.999.999.999 is the attacker's IP. Now I realize this isn't
> even close to a solid solution, but I figured it would make it enough
> of an inconvenience for these people to get around that they would
> leave me alone. Instead, they somehow figured out how to post from a
> new IP address - an IP address that is very very unusual...
>
> Somehow they are posting from an address, we'll call it 65.X.X.X (not
> its real address, the real IP resolves to somewhere in the largest
> nearby city, Cedar Rapids, IA), and viewing my site from this address.
> Now, I figure, oh well, I'll add that IP to my block list...
>
> Only problem, when I block that 65.X.X.X address and then *I* try to
> access the site, I get blocked and redirected to slashdot! No, the
> 65.X.X.X address is NOT mine, mine starts with 128.X.X.X. When I run a
> traceroute from my IP to my server, I find that there are a few hops
> on my route that are very similar in address to the 65.X.X.X IP -
> likely routers downstream from my ISP, though none of the IP's are
> EXACTLY that 65.X.X.X. My question - why is it when I return the
> "$_SERVER['REMOTE_ADDR']" variable within PHP, my IP shows up
> (128.X.X.X) but when I try to access the site using my "filtering
> method" - just a simple if statement using that EXACT same variable
> and comparing it to 65.X.X.X, the program thinks it has a match? What
> in the world is going on? I thought the $_SERVER['REMOTE_ADDR']
> variable only returned the remote host's end IP, not the addresses of
> routers in-between.
>
> On top of this, I have attempted to connect to my site from other
> ISP's and other connections around the city - I always get redirected
> to slashdot.org (like I'm coming from the 65.X.X.X address) regardless
> of where I connect from. Thanks for your help and for reading about my
> rather lengthy and complicated problem.