Let me desribe the problem first:
My server application "Blunzen's App" listens on port 1234 for client requests which works fine for nice clients. But there are also evil "Blunzen's App" clients that destroy my server. Unfortunately my "Blunzen's App" server is silly and therefore not able to distinguish good from evil. I can't change the "Blunzen's App" server protocol to make it smarter to defend itselves.
And here is my solution idea:
I want to invent a "Blunzen's App Guard" service that listens on port 1234, that, instead of the "Blunzen's App" server, checks client requests for good and evil and only forwards the good requests to the "Blunzen's App" server that now listens on port 4321.
The good clients show a permit to the "Blunzen's App Guard" service. With a valid permit all packages from a good client should be forwarded to port 4321. All bad requests should be ignored.
Suggestions for implementation are welcome.