Results 1 to 10 of 10

Thread: allow only 1 (not specific) IP at a time on a port

  1. #1
    Join Date
    Jan 2020
    Beans
    2

    allow only 1 (not specific) IP at a time on a port

    Hello,

    I'm looking to a UFW or IPTables rule in order to allow only One not specific IP at a time to a port.

    There is plenty of exemples online about allowing 1 specfic IP which is not what I want.

    I wish to Allow ANY IP to connect to a port, but only 1 IP at a time (which means that if two person on different location are trying to connect to that port, the later won't be allow, or better, both would be disconnected).

    Anyone has an idea ?

    Thanks a lot.

  2. #2
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    14,743
    Distro
    Kubuntu 19.10 Eoan Ermine

    Re: allow only 1 (not specific) IP at a time on a port

    In the good old days, I would wrap the service with xinetd to limit it to one simultaneous connection. Apparently systemd now offers this ability, but someone else will have to explain that method.

    After installation of xinetd, you'll have an /etc/xinetd.d/ directory. Create a configuration file for the service like the ones you'll see there. If it's a standard service that appears in the list in /etc/services, use that name, e.g., smtp, otherwise define a custom service in /etc/services by adding a line like
    Code:
    myservice     62610/tcp
    whish specifies that myservice listens on port 62610. Next, create the configuration file in /etc/xinetd.d/ like this:
    Code:
    service myservice
    {
            disable         = no
            type            = INTERNAL
            socket_type     = stream
            server          = /path/to/some/executable
            protocol        = tcp
            user            = root
            wait            = no
            instances       = 1
    }
    After xinetd is started, it will listen on the port assigned to the server (62610 in this case) and pass incoming requests to the program at /path/to/some/executable. That last line will limit concurrent connections to one.
    Last edited by SeijiSensei; January 18th, 2020 at 01:40 AM.
    If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  3. #3
    Join Date
    Mar 2007
    Location
    Denver, CO
    Beans
    7,821
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: allow only 1 (not specific) IP at a time on a port

    Neat -- I had no idea you could do this. Thanks for information.

  4. #4
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    14,743
    Distro
    Kubuntu 19.10 Eoan Ermine

    Re: allow only 1 (not specific) IP at a time on a port

    Xinetd has a number of useful features. I use the redirect option to pass connections to an IMAP server running on a machine behind a public-facing server. The man page for xinetd.conf is quite extensive.
    Last edited by SeijiSensei; January 20th, 2020 at 04:31 PM.
    If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  5. #5
    Join Date
    Jan 2020
    Beans
    2

    Re: allow only 1 (not specific) IP at a time on a port

    Hello !

    This solution will fit the job perfectly, i will dig into xinetd.

    Thanks you very much !

  6. #6
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    2,779
    Distro
    Ubuntu Development Release

    Re: allow only 1 (not specific) IP at a time on a port

    I think this iptables rule will also do what you want:

    Code:
    sudo iptables -A INPUT -p tcp --dport 22 -s 0.0.0.0/0 -m connlimit --connlimit-above 1 -j DROP
    The rule will have to be placed properly within your existing rule set.
    Yes, normally the connlimit-above is ip specific, but the rule specifies any IP address as an override.
    EDIT: Incorrect: see post #8 below.

    Example use (port 22 SSH): I had one ssh session already going to the test server, added the iptables rule and all was fine. I attempted to open another ssh session, could not and also got dropped from my original session. Once the conntrack table entries were eventually closed, I was then able to re-connect to via ssh to the computer and repeat the process. I also did the test from two different computers on my LAN.
    Last edited by Doug S; 4 Weeks Ago at 02:47 AM.
    Any follow-up information on your issue would be appreciated. Please have the courtesy to report back.

  7. #7
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    14,743
    Distro
    Kubuntu 19.10 Eoan Ermine

    Re: allow only 1 (not specific) IP at a time on a port

    If you use REJECT instead of DROP,
    Code:
    sudo iptables -A INPUT -p tcp --dport 22 -s 0.0.0.0/0 -m connlimit --connlimit-above 1 -j REJECT
    the second connection will see
    Code:
    ssh: connect to host hostname port 22: Connection refused
    Using DROP causes the second connection to hang with no error reply.

    Unlike your experience, my first connection remained established after a second attempt was made. That was true with DROP and REJECT.

    This works well and is much simpler than using xinetd. Thanks, Doug!
    If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  8. #8
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    2,779
    Distro
    Ubuntu Development Release

    Re: allow only 1 (not specific) IP at a time on a port

    @SeijiSensei : thanks for trying it and your additional information.

    I played around some more and had difficulties getting repeatable good test results. I think my suggested iptables rule should have been this instead (at least my tests work better):

    Code:
    sudo iptables -A INPUT -p tcp --syn --dport 22 -i enp3s0 -m connlimit --connlimit-above 1 --connlimit-mask 0 -j REJECT
    Because then the mask looks correct when I do this:

    Code:
    doug@s18:~$ sudo iptables -v -x -n -L
    [sudo] password for doug:
    Chain INPUT (policy ACCEPT 300 packets, 28907 bytes)
        pkts      bytes target     prot opt in     out     source               destination
           2      120 REJECT     tcp  --  enp3s0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 flags:0x17/0x02 #conn src/0 > 1 reject-with icmp-port-unreachable
    ...
    Whereas, with my previous rule, the mask seemed wrong:
    Code:
    doug@s18:~$ sudo iptables -D INPUT -p tcp --syn --dport 22 -i enp3s0 -m connlimit --connlimit-above 1 --connlimit-mask 0 -j REJECT
    doug@s18:~$ sudo iptables -A INPUT -p tcp --dport 22 -i enp3s0 -s 0.0.0.0/0 -m connlimit --connlimit-above 1 -j REJECT
    doug@s18:~$ sudo iptables -v -x -n -L
    Chain INPUT (policy ACCEPT 9 packets, 628 bytes)
        pkts      bytes target     prot opt in     out     source               destination
           0        0 REJECT     tcp  --  enp3s0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 #conn src/32 > 1 reject-with icmp-port-unreachable
    ...
    Edit: Where "enp3s0" is the network interface name for my computer. Change as required.
    Last edited by Doug S; 4 Weeks Ago at 08:47 AM.
    Any follow-up information on your issue would be appreciated. Please have the courtesy to report back.

  9. #9
    Join Date
    Mar 2007
    Location
    Denver, CO
    Beans
    7,821
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: allow only 1 (not specific) IP at a time on a port

    Quote Originally Posted by SeijiSensei View Post
    Xinetd has a number of useful features. I use the redirect option to pass connections to an IMAP server running on a machine behind a public-facing server. The man page for xinetd.conf is quite extensive.
    I don't understand this method. Don't you still have to open a port on the firewall to accomplish this?

  10. #10
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    14,743
    Distro
    Kubuntu 19.10 Eoan Ermine

    Re: allow only 1 (not specific) IP at a time on a port

    Yes, just as you would need to do for any service that listens for incoming client requests. So, in the case I described above, I'd open port 62610/tcp on the firewall.

    It's no different than opening port 25 to allow incoming mail or port 80 to allow HTTP requests.
    If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •