I need to do a port forward on Clear OS 6. I can do the port forward but I need to setup so that only a particular IP address is allowed in.
So I need to forward port 80 to an internal IP address of 10.10.250.20.
I need to make sure the 16.42.64.94 is the only IP address that is allowed to use this port.
How can I do this?
Brad
So I need to forward port 80 to an internal IP address of 10.10.250.20.
I need to make sure the 16.42.64.94 is the only IP address that is allowed to use this port.
How can I do this?
Brad
Share this post:
Responses (10)
-
Accepted Answer
-
Accepted Answer
Try adding two (2) rules to your Custom Firewall.
The first rule added and at the top should be the rule that Nick Howitt noted. That will drop all port 80 to your COS box.
Rule 2 should be:
iptables -t filter -I FORWARD -s 16.42.64.94 -d 10.10.250.20 -p tcp --dport 80 -j ACCEPT
It works great for me in forwarding a specific port from a specific WAN IP to a specific LAN IP.
John -
Accepted Answer
John Jarrett wrote:
Not quite. My rule drops any port 80 traffic from the WAN being forwarded except from the one source source IP. There is no need for the second rule as it is covered by the standard port forwarding rule which does more than just add a rule to the FORWARD chain. It also adds rules to the PREROUTING and POSTROUTING chains.
Try adding two (2) rules to your Custom Firewall.
The first rule added and at the top should be the rule that Nick Howitt noted. That will drop all port 80 to your COS box.
Rule 2 should be:
iptables -t filter -I FORWARD -s 16.42.64.94 -d 10.10.250.20 -p tcp --dport 80 -j ACCEPT
It works great for me in forwarding a specific port from a specific WAN IP to a specific LAN IP.
John -
Accepted Answer
Nick Howitt wrote:
The easiest way is possibly to add a general port forward rule then a custom rule:
Please check the rule at the command line, substituting ethX with your WAN interface, before you add it to the custom firewall module.iptables -I FORWARD ! -s 16.42.64.94 -i ethX -p tcp --dport 80 -j DROP
Is working perfect! Thank you!
How do i set 2 incoming ip adresses? -
Accepted Answer
You can use that for your first custom rule then add further rules:
or you could change the first rule removing the -s switch so it becomes a single drop rule then have multiple allow rules.iptables -I FORWARD -s your_second_IP -i ethX -p tcp --dport 80 -j ACCEPT
I think you can list up to 16 IP's in a single rule (comma separated), which would work in this case with the ACCEPT rule but it would not work with the DROP rule. This is because the rule instantiates and creates multiple rules, one for each IP, when it loads iptables. -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Your solution is a bit heavy handed. As you are using a custom firewall rule anyway, you may as well just do it in a single rule. Do not open the incoming firewall then:
In the command line use "iptables" but in the custom firewall, use "$IPTABLES".$IPTABLES -I INPUT -s ipadress -p tcp --dport 10000 -j ACCEPT
-
Accepted Answer
Hi Nick,
Thank you its working!
Still struggeling with multiple ip address ranges in forwarding rule.
I now have i rule which forwards the oprt and a custom rule:
$IPTABLES -I FORWARD 69.162.124.224/28, 63.143.42.240/28, 216.245.221.80/28 -i enp13s0 -p tcp --dport 10000 -j ACCEPT
But now it allows all ip's to connect. -
Accepted Answer
Port forwarding is a little trickier. You'll need a DROP rule as well for everything which should go above the ACCEPT rule in the custom firewall so it ends up below it in the FORWARD chain. Alternatively, forget the port forward rule in the webconfig and add the PREROUTING and POSTROUTING rules in the custom firewall rule as well as the FORWARD rule.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »