ipshutter - regulate access to a port


    ipshutter gen <NUMBER>
    ipshutter server


This program listens for connections on a port P1 and upon proper authentication temporarily unlocks a second port P2. The unlocking is brief (default two minutes) and only applies to the IP address from which the authentication occurred.

The unlocking uses ipchains, and assumes an ipchains firewall normally blocking protected port P2.

P1, the authentication port, should usually be accessible to the network, while P2 should be blocked by a firewall rule.


ipshutter gen <NUMBER>
Generate NUMBER one-time passwords and record them in the user's .ipshutterpw file. Passwords are also written to STDOUT.

ipshutter server
Must be run as root. Launches a daemon which listens on the authentication port and accepts connections from clients trying to authenticate.


When a remote client desires access to the protected port P2, it makes a TCP connection to the authentication port P1 and sends an authentication string containing the username, password number, and one-time password. This is normally accomplished with a web browser accessing a URL like:



If authentication is successful, the daemon will return a web page saying ``OK''. Otherwise it will break the network connection.

Upon successful authentication, the daemon will delete the used password from the user's .ipshutterpw file and temporarily install a firewall rule to allow access to protected port P1 from the remote client's IP address.

It is assumed that the firewall allows all packets that are part of existing connections. In other words, typically the default REJECT rules have the -y flag so they only apply to packets with the SYN flag set. Therefore the remote client can establish a connection such as ssh during the brief time window when P2 is unlocked, and the connection should continue after P2 is relocked.


A bad event is a malformed client message, connection without a message, timeout waiting for a message, or failed authentication. When a client causes a bad event, the client IP address is temporarily blacklisted. Subsequent connections from the bad client are immediately disconnected. By default, the blacklisting lasts for five minutes.

A client that initiates repeated bad events will be blocked by a firewall rule. By default the block occurs after ten bad events and lasts for ten hours. Then the counter is reset.

The bad event counter is also reset upon successful authentication from that IP address.


All bad events and all successful authentications are recorded in the log file with the date/time and client IP address. Connections from blacklisted IP addresses are not recorded, as they could add substantial noise to the log.


$HOME/.ipshutterpw /var/log/ipshutter /etc/ipshutterrc


Asher Blum <>


Copyright (C) 2002 Asher Blum. All rights reserved. This code is free software, licensed under the GNU GPL.