Feature request: IP access list

[auyongtc]

Hi there,

Was wondering if the code is able to accommodate an IP access list in config file to validate the access for incoming connections to sniproxy?

Thanks!

[dlundquist]

Currently sniproxy doesn't support access lists. I haven't considered this a high priority:

• This would require an efficient data structure to represent the access list. I would want to support CIDR ranges and both IPv4 and IPv6 including IPv6 mapped IPv4 addresses. CIDR ranges would require implementing most specific match.
• The source address is not available to sniproxy until accepting the client connection. Any access list implementation should implement access list looks efficiently to reduce DoS potential. We do not want to preform a linear search for every incoming connection.
• IPTables provides a very efficient access control list implementation. Most deployments of sniproxy are listening on privileged ports, so the deployer presumably has access to iptables.

See also #93, #44

[auyongtc]

Thanks for the detailed response! The reason for asking this is because iptables is not useful in my situation where ISPs in my country uses mandatory transparent proxies (a whole cluster of them) for any outgoing HTTP port 80 connections.

[dlundquist]

I don't see how outbound transparent proxies for port 80, prevent using iptables to inbound traffic to whatever port SNIProxy is listening on.

   iptables -A INPUT -m tcp -p tcp -s $TRUSTED_IP1 --dport $SNIPROXY_PORT -j ACCEPT
   iptables -A INPUT -m tcp -p tcp -s $TRUSTED_IP2 --dport $SNIPROXY_PORT -j ACCEPT
   iptables -A INPUT -m tcp -p tcp --dport $SNIPROXY_PORT -j DROP

Alternatively you could try verify new connections in accept_connection() with TCP wrappers or similar, be sure to return 1 when rejecting connections, otherwise accept_cb() will suspend accepting new connections for 2 seconds.