1

I have a socket server that listens and accepts connections from client, which works as follow: 

... do some pre-processing (socket, binds, etc)
//listen to client
if (listen(sockfd, BACKLOG) == -1) {
        perror("listen");
        exit(1);
}

printf("server: waiting for connections...\n");

while(1) {  // main accept() loop
    sin_size = sizeof client_addr;
    new_fd = accept(sockfd, (struct sockaddr *)&their_addr, &sin_size);
    if (new_fd == -1) {
        perror("accept");
        continue;
    }
     //do something .....
    .....
}

How can I restrict the server so it only accepts connection from specific IP addresses? For instance, I can create a text file containing a white list of IP addresses to accept, in the following format:
202.168.2.5 - 202.168.2.127
92.104.3.1 - 92.104.4.254
//and so on

So basically I want to reject connection from all the IP addresses not included in the whitelist. If the socket library API does not support this, I am okay with the idea of accepting the connections first, then just immediately close the socketfd if the peeraddress is not in the whitelist. But how to perform this, how can I check that a specific IP address is within the range specified in my whitelist? Any examples would be appreciated.

all_by_grace
  • 2,315
  • 6
  • 37
  • 52
  • You don't mention an OS, but if you're running on a *nix system you can simply use TCP Wrappers and let it do the work for you. – Brian Roach Mar 14 '12 at 05:59

3 Answers3

3

You want to call getpeername to get the address information from the client. Then check if their IP address is found in the whitelist. If not, disconnect them.

In order to check that their ip address lies within a given range, you want to convert the address bytes into one number. You can do that with the following:

unsigned int n = bytes[0] << 24 | bytes[1] << 16 | bytes[2] << 8 | bytes[3];

If the lower bound of the address range is A, and the upper bound is B, and the client's ip address is X, then they are white listed if (A <= X && X <= B).

If each range of ip addresses tests false, then they aren't on the white list and you should disconnect them.

Marlon
  • 19,924
  • 12
  • 70
  • 101
  • Ahh, okay, make sense. I was doing a lot of if-else to check whether or not it is within the allowed IP range. Doing a bit shifting is a perfect solution. Thanks !! – all_by_grace Mar 14 '12 at 06:08
2

Not sure what the question is here, or rather what the problem is. The client's address will be in their_addr, so just search your whitelist for that. If not found, close. You will probably want to either convert their_addr into the same format as your whitelist entries, or possibly vice versa.

user207421
  • 305,947
  • 44
  • 307
  • 483
  • I mentioned this in the last paragraph of my question. My next question is then: how can I check that a particular IP address is within a specific range? For instance, 92.104.3.120 is within the range of 92.104.3.1 and 92.104.4.254. – all_by_grace Mar 14 '12 at 05:59
  • @all_by_grace If the ranges are all subnets you can just mask. Otherwise you will need to organize a suitable data structure. It's a data structure question, not a networking question. – user207421 Mar 14 '12 at 06:01
  • @all_by_grace - convert start and end IP address to a network byte order `int` using `inet_pton`; you now have a range to check against. – Brian Roach Mar 14 '12 at 06:04
  • @BrianRoach: Yes, thanks ! Problem solved! Either using inet_pton(), or using the bit shifting as specified in Marlon's answer, would solve this. – all_by_grace Mar 14 '12 at 06:13
1

On Windows only, you can use WSAAccept() instead of accept(). WSAAccept() has a parameter that you can pass a callback function to. Before a new connection is accepted, the callback is invoked with the addresses and QOS values for that connection. The callback can then return CF_ACCEPT, CF_DEFER, or CF_REJECT as needed.

Remy Lebeau
  • 555,201
  • 31
  • 458
  • 770