[Discuss] Limit the number of ip addresses which can connect to a port

[warlord at MIT.EDU (Derek Atkins)]

Tom,

Tom Luo <mariolzx at gmail.com> writes:

> Yes. I want only one IP gets access to the service. However, I don't own
> this application and I don't have the source code. That is why I can only
> using firewall to handle it.
> If there is no software capable to handle this, I am thinking about writing
> a shell script to do it myself.

Just so I understand:   You have a service running on a server which
*anyone* can use.  But once *someone* is using it, further connections
can only come from that single IP address.   And then, once all
connections drop again (i.e., nobody is using the service), then it
opens up to anyone on any IP address again until someone else connects?

Do I have this right?

If so, I'm honestly not sure how to do this outside the application
itself.  You MIGHT be able to do it with tcp_wrappers with some state on
the machine for the number of open connections.

Another option is that you MIGHT be able to do this with something like
fail2ban + firewalld.  Every time there is a first-time connection then
you add a firewall rule that limits access to only that IP address, and
then once the user "logs out" you remove that restriction.  Of course
you would need to ensure that the connection/disconnection get logged
properly, and you'd need to write the fail2ban scripts.

If you cannot modify the application itself then this might be
challenging to get all the connect/disconnect messages to properly line
up.

> Thanks,

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord at MIT.EDU                        PGP key available