[Twisted-Python] Blacklisting hosts

Chris Norman chris.norman2 at googlemail.com
Mon Aug 10 15:43:31 MDT 2015 

Hello,

> On 10 Aug 2015, at 03:32, Glyph <glyph at twistedmatrix.com> wrote:
> 
>> 
>> On Aug 9, 2015, at 9:07 AM, Cory Benfield <cory at lukasa.co.uk <mailto:cory at lukasa.co.uk>> wrote:
>> 
>> 
>>> On 8 Aug 2015, at 08:07, Chris Norman <chris.norman2 at googlemail.com <mailto:chris.norman2 at googlemail.com>> wrote:
>>> 
>>> Hi all,
>>> I am using Twisted to make a game server. I want to be able to ban IP addresses. Currently I check if the host is in a blacklist, and if it is, call abortConnection on the transport. It works fine, but I'm thinking there should be a better way, to actively refuse the connection in the first place?
>> 
>> I am not aware of any hook in the BSD socket API that lets you refuse a connection entirely. Generally, you put a socket into ‘listen’ mode (indicating to the OS that you’ll accept new connections), and then you call accept() to get the new connection. In fact, the OS will accept the connection even before you call accept(): it’ll do it asynchronously, and you will just get the FD for the connection. IIRC Windows has a winsock specific thing that might do what you want, but that’s pretty platform specific and probably doesn’t actually prevent the connection getting established anyway.
>> 
>> If you really want to never allow the connection at all, you’ll probably want to program iptables (or some other firewall if you aren’t on Linux) to do the packet filtering for you. A combination of iptables and ipsets will get you a high-performance IP address blacklist that will drop all packets before they ever reach your application.
> 
> 
> There is a shortcut in Twisted, at least, although it does not actually refuse the initial connection for the reasons listed above; you can examine the "addr" passed to IProtocolFactory.buildProtocol and return None.

This is perfect, thanks. It would have been better to refuse the connection entirely, but as Corey said, I can use iptables if I get desperate.

> 
> -glyph
> 
> _______________________________________________
> Twisted-Python mailing list
> Twisted-Python at twistedmatrix.com <mailto:Twisted-Python at twistedmatrix.com>
> http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python <http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/twisted-python/attachments/20150810/ed169a1c/attachment-0002.html>

More information about the Twisted-Python mailing list