Page 1 of 1

Sockets: Only allow certain connections.

Posted: Mon Jul 31, 2006 7:40 pm
by kaoskorruption
Is it possible to check the IP of who is trying to connect to a socket before the connection is actually accepted, and allow them to connect only if they have a specific IP? Using TCP.

Also: Is it possible to send data before or as the script connects, so that the data can be analyzed before the server decides to allow the connection or not? Using TCP.

Is it possible to read data sent from a UDP socket to a TCP socket? Is that even possible?

Basically, I have a "login" server, and I have "main" servers. There is one login server, and there can, but don't have to be, multiple "main" servers. I don't want the login server to accept client connections until at least one "main" server has connected to it. The point is so people can login with the login server, and then get forwarded to one of the "main" servers. The "main" servers all have to connect to the login server, but so do the clients. Right now the only way I have to authenticate the "main" servers when they connect is to accept all connections to the login server, and use the data that they send from there. Ideally, I would be able to reject all connections to the login server except for connections coming from "main" servers.

Thanks.

Posted: Wed Aug 16, 2006 11:17 pm
by Stoker
I think most of the answers here is generally "No".
Read up a couple of things on how TCP/IP works and the difference between OSI layer 3, 4 and 6-7, and the http protocol.


> Is it possible to check the IP of who is trying to connect to a socket
> before the connection is actually accepted, and allow them to connect
> only if they have a specific IP? Using TCP.

PHP as an apache module can not, it operates on Layer 7 using the http protocol.
The operating system usually handles layer 3 (IP), filtering on layer 4 (TCP/UDP) is usually handled by the operating system as well.
Som on a *nix machine you need to enable firewalling/filtering of some sort (On GNU w/ Linux systems check IPtables)

Technically, with a lot of coding, I am sure it is possible to integrate PHP with operating system TCP/IP stack and let a PHP script handle the logic of what is allowed, but that would probably be the slowest firewalling method in the world :)


> Also: Is it possible to send data before or as the script connects, so that
> the data can be analyzed before the server decides to allow the connection
> or not? Using TCP.

I don't really understand your question here, but I think the answe is pretty much the same as above - php operates on layer 7, connection is already accepted when it reaches the web server and PHP, you can always end the script with exit(); - there is no way to communicate forth and back within the clients connection, other than indirectly via headers (cookies), read up a bit on the http protocol.


> Is it possible to read data sent from a UDP socket to a TCP socket?

No, they are two different layer 4 protocols, you would need a "translator".

Basically, I have a "login" server, and I have "main" servers. There is one login server, and there can, but don't have to be, multiple "main" servers. I don't want the login server to accept client connections until at least one "main" server has connected to it. The point is so people can login with the login server, and then get forwarded to one of the "main" servers. The "main" servers all have to connect to the login server, but so do the clients. Right now the only way I have to authenticate the "main" servers when they connect is to accept all connections to the login server, and use the data that they send from there. Ideally, I would be able to reject all connections to the login server except for connections coming from "main" servers.
You need to split this up, a single script wont do this for you, create daemons on the servers that calls home or heart-beats to the authorization-server, then some system on the authorization (login) server that keeps a table of server states, the login script can use this table to determine if login should be allowed and where to send the user.