Hello,

I am in need of a solution for an ongoing issue I have.

This issue is that to ensure network security, I have blocked all IPs in iptables, adding rules for only select IPs. BTW, I am using CentOS.

I have a server that needs to be accessed by clients, some of these clients have dynamic IPs, so in order to allow them to see my server, I have to manually add them in iptables.

This has become a heartache lately due to too many clients.

I have been searching for a solution that I can implement in which clients can edit there own IP without much action from me. It needs to be a solution that clients can only edit their one iptables rule, not able to edit all or any rule. Would need to have different user login accounts.

Preferably in PHP, but if any of you know of a solution using a different language I am open to any suggestions.

Regards.

Thank you for in advance.

Do your users need access to the entire machine (I'm guessing no) or only to certain files on the machine?

That sounds pretty tough to do with iptables. Maybe you could allow IP blocks. Usually dynamic IPs are within a certain block an ISP has.

It'd be easy enough to write something like that. It'd also be easy enough to make big mistakes. You'll really have to be very sure about input validation. There's also little that can be done to prevent them from then adding aribitrary addresses.

One way is to apply your basic set of rules and have a separate chain for the dynamic addresses which might even point to additional chains one per customer.