Daniel J. Bernstein's ucspi-tcp package includes a progam called tcpserver. tcpserver listens on specified port and accepts incoming connections. After a successful connection, it runs specified programs. It's biggest advantage is that you don't have to use socket programming in your programs. All you have to do is simply use standard input and output descriptors. It has a feature which let's you to define access lists. So, you can simply reject or accept connections from specific ip or networks. It also let's you define environment variables and pass it your running application. This is done by a program called tpcrules. It's using a file based database called cdb .
The main drawback of this approach is that you don't have a centralized source for all your servers. You have to create cdb file with tcprules program each time when you make any change on your access lists and deploy it to your all servers. This is not practical. Therefore, I added mysql support to tpcserver program.
This patch adds a new option which is called "m". It's parameter is the name of the database config file. It's layout is simple.
database server ip|database user|database password|database name|
for example create a file called /etc/db.conf and it contains the following line:
localhost|root|mypassword|tcprulesdb|
pass this file as a parameter to tcpserver
tcpserver -m /etc/db.conf
Now on mysql site we have to create a database called tcpserver and create a table called as 'tcpserver_rules'
>mysql>
create table tcpserver_rules (itime bigint unsigned ,ip_start bigint
unsigned ,ip_end bigint unsigned ,decision int,env varchar(255));
after creating the table the structure will be as following:
mysql> describe tcpserver_rules;
+----------+---------------------+------+-----+---------+-------+
|
Field |
Type
| Null | Key | Default | Extra |
+----------+---------------------+------+-----+---------+-------+
|
itime | bigint(20) unsigned | YES
| | NULL
| |
| ip_start | bigint(20)
unsigned | YES | | NULL
| |
| ip_end |
bigint(20) unsigned | YES | |
NULL | |
|
decision |
int(11)
| YES | | NULL
| |
|
env |
varchar(255) | YES
| | NULL
| |
+----------+---------------------+------+-----+---------+-------+
5 rows in set (0.01 sec)
here is the the descriptions of the fileds:
itime: rule insertion time in epoch (optional)
ip_start and ip_end: network start and end ip in integer format.
calculation is simple:
IP Address = w.x.y.z
16777216*w + 65536*x + 256*y + z
example for a small network 192.168.1.0/24
192.168.1.0-192.168.1.255
3232235776 - 3232236031
decision: 0 means accept incoming connection, 1 means deny incoming connection (default accept)
env: you simply define any environment variable you would like to pass your program (optional)
following is a sql command creates a rule which allow any connection from 192.168.1.0/24 network and sets variable mfcheck and RELAYCLIENT.
NOTE: watch out the trailing "\n" , on env field. When you define any env variable end it with "\n".
download patch here .