So basically we are providing an API, where people connect remotely.
The idea is to deny everyone the access/ping to the IP of our server, except the whitelisted people (which are our customers). I was able to reach that goal with CSF.
Then I thought it was the case to add a thread limitation, so I wanted to set a maximum number of parallel connections to our server available for one IP, and the first issue came: the command
iptables -A -s customerIP -p tcp --syn --dport 80 -m connlimit –connlimit-above NUMBER -j REJECT --reject-with tcp-reset
was fully ignored since the whitelisted customers have full access and the above rule is ignored (we were using csf and I read that iptables gives priority to rules in the order they are added: so if you whitelist an IP and then add a limitation, the limitation will be ignored).
So I am looking if on ipfire is possible to have a whitelisted only access and setup max threads/parallel connection per IP (the rules must be IP based, not general rule).
SECOND QUESTION
Last thing is related to flushing rules.
Let’s say a customer buys 100 threads then his subscription ends: what should we do? How can we flush all the rules for that IP?
On csf it would be possible to remove the IP manually from the whitelist (csf.allow) and then restart the CSF -a, but it would not be one of our best strategies.
The issue comes when I have to remove the threads limitations from iptables, not from csf, because it seems that on iptables it is not possible to flush rules for a specific IP.
I have found a script that remove rules for a specific Ip but it doesn’t seem updated, and it seems not supported anymore.
SUMMARY
So basically I am looking if IPFIRE provides the following things:
- commands on console/API for automatic tasks from CRM (whmcs)
- flush rules X IP
- threads/parallel connections/concurrent connections limit X IP.
Thank you!
