Interesting case

Hello everyone,

basically we are proving an API where people connects remotely.

The idea is to deny everyone the access/ping to that IP except the Whitelisted people/customers. I was able to reach that goal with CSF. Then we trough it was the case to add a thread limitation and the first issue came. The command

iptables -A -s customerIP -p tcp --syn --dport 80 -m connlimit –connlimit-above NUMBER -j REJECT --reject-with tcp-reset

was fully ignored since the whitelisted customers for some reason have full access and the above rule is ignored (we were using csf and I read that iptables gives priority to rules in the order they are added: so if you whitelist an IP and then add a limitation it will be ignored).

So I am looking if on ipfire is possible to have a whitelisted only access and setup max threads/parallel connection X IP (the rules must be IP based, not general rule).

Last thing is related to flushing rules. Let’s say a customer buy 100 threads then his subscription ends; what should we do. How can we flush all the rules for that IP? On csf it would be possible to remove the IP manually from the whitelist (csf.allow) and then restart the CSF -a (this could be considered a strategy but not one of the best). The issue come when I have to remove the threads limitations from iptables, not from csf, because it seems that on iptables it is not possible to flush rules for a specific IP.

I have found a script that remove rules for a specific Ip but it seems updated and not supported anymore.

So basically I am looking if IPFIRE provides the following things:

  • commands on console/API for automatic tasks from CRM (whmcs)
  • flush rules X IP
  • threads/parallel connections/concurrent connections limit X IP.

Thank you!