IP Access Control
Restrict tunnel access with IP whitelist and blacklist.
Allow List (Whitelist)
Only allow specific IP addresses:
bash
drip http 3000 --allow-ip 192.168.1.100Allow multiple IPs (comma-separated):
bash
drip http 3000 --allow-ip 192.168.1.100,192.168.1.101,10.0.0.50Allow entire network using CIDR notation:
bash
drip http 3000 --allow-ip 192.168.0.0/16Allow multiple networks:
bash
drip http 3000 --allow-ip 192.168.0.0/16,10.0.0.0/8Deny List (Blacklist)
Block specific IP addresses:
bash
drip http 3000 --deny-ip 1.2.3.4Block multiple IPs:
bash
drip http 3000 --deny-ip 1.2.3.4,5.6.7.8Block entire network:
bash
drip http 3000 --deny-ip 192.168.1.0/24Combining Allow and Deny
Allow a network but block specific IPs within it:
bash
drip tcp 5432 --allow-ip 192.168.1.0/24 --deny-ip 192.168.1.100Priority: Deny list is checked first. If an IP matches a deny rule, it's blocked even if it also matches an allow rule.
IPv4 and IPv6 Support
Both IPv4 and IPv6 addresses are supported:
bash
# IPv4
drip http 3000 --allow-ip 192.168.1.0/24
# IPv6
drip http 3000 --allow-ip 2001:db8::/32Single IPs are automatically converted to /32 (IPv4) or /128 (IPv6).
Access Denied Response
When an IP is blocked:
- HTTP tunnels: Return
403 Forbiddenwith error message - TCP tunnels: Close the connection immediately
Private Network Detection
The server automatically detects private network IPs for logging purposes:
- 127.0.0.0/8 (IPv4 loopback)
- 10.0.0.0/8 (RFC 1918 Class A)
- 172.16.0.0/12 (RFC 1918 Class B)
- 192.168.0.0/16 (RFC 1918 Class C)
- ::1/128 (IPv6 loopback)
- fc00::/7 (IPv6 unique local)
- fe80::/10 (IPv6 link-local)
Use Cases
| Scenario | Command |
|---|---|
| Office network only | drip http 3000 --allow-ip 203.0.113.0/24 |
| Block known bad actors | drip http 3000 --deny-ip 1.2.3.4,5.6.7.8 |
| Internal + specific external | drip http 3000 --allow-ip 10.0.0.0/8,203.0.113.50 |
| Database with restricted access | drip tcp 5432 --allow-ip 192.168.1.0/24 |
| Allow your IP only | drip http 3000 --allow-ip YOUR_PUBLIC_IP |