accept socket from local client on ALL interfaces; rejcct remote client

Question

I need to write a small socket server proxy application that accepts connections from local applications on ALL interfaces (socket should bind to 0.0.0.0).

I'm not aware of way to achieve this (I have additional requirements that prevent binding to the 127.0.0.1).

A first attempt at this does the following:

bind(0.0.0.0) ... s = accept() ... // reject remote connection if (s.src_addr is not in local_interfaces) close() ... //proceed normally with local conenction

This implementation has a side effect on remote applications - they see an accept/close combination. The system is required to behave such that remote application perceive that "nothing is there": -->SYN <--RST/ACK

To implement this behavior I used winsock API combination of SO_CONDITIONAL_ACCEPT and a WSAAccept callback (LPCONDITIONPROC lpfnCondition),to accept / reject a connection based on its origin interface (i.e. is it one of the local addresses or not).

This results in the desired functional behavior: local apps work; remote apps get the required WSAECONNREFUSED error.

This comes with a certain prices: SO_CONDITIONAL_ACCEPT has certain side effects (see MSDN), but more importantly, we need a LINUX implementation and may later have to port this to other UNIXs.

My first priority is a LINUX solution. Note that I'm willing to go beyond the socket API if that's what it takes.

Answer 1

One simple solution would be to use and external firewall.

Answer 2

Perhaps you could require that appropriate packet filters be installed, or maybe your application could install these filters itself. See http://www.netfilter.org/ for details on the iptables command (there is also a libnfnetlink that provides an API for filter management, but this apparently is not intended for generic application use).

Have you considered using AF_UNIX sockets?

Answer 3

The standard way of doing this is to accept the connections anyway, then if they're coming from an address you don't like, close them immediately without any communication.

If this is really something you're desperate to do, it's not part of the BSD sockets way of doing things.

Answer 4

Netfilters / iptables already mentioned so i dont go into that - its propably the easiest way to handle this but then again, its not part of "your program" but a feature of kernel.

But there's a tool called tcpwrappers which many system daemons also use - you know those hosts.allow & hosts.deny files in your /etc folder - they are part of tcpwrappers and can archive the exact scenario you described.