The easiest way is possibly to add a general port forward rule then a custom rule:

iptables -I FORWARD ! -s 16.42.64.94 -i ethX -p tcp --dport 80 -j DROP

Please check the rule at the command line, substituting ethX with your WAN interface, before you add it to the custom firewall module.

Try adding two (2) rules to your Custom Firewall.

The first rule added and at the top should be the rule that Nick Howitt noted. That will drop all port 80 to your COS box.

Rule 2 should be:

iptables -t filter -I FORWARD -s 16.42.64.94 -d 10.10.250.20 -p tcp --dport 80 -j ACCEPT

It works great for me in forwarding a specific port from a specific WAN IP to a specific LAN IP.

John

John Jarrett wrote:

Try adding two (2) rules to your Custom Firewall.

The first rule added and at the top should be the rule that Nick Howitt noted. That will drop all port 80 to your COS box.

Rule 2 should be:

iptables -t filter -I FORWARD -s 16.42.64.94 -d 10.10.250.20 -p tcp --dport 80 -j ACCEPT

It works great for me in forwarding a specific port from a specific WAN IP to a specific LAN IP.

John

Not quite. My rule drops any port 80 traffic from the WAN being forwarded except from the one source source IP. There is no need for the second rule as it is covered by the standard port forwarding rule which does more than just add a rule to the FORWARD chain. It also adds rules to the PREROUTING and POSTROUTING chains.

Nick Howitt wrote:

The easiest way is possibly to add a general port forward rule then a custom rule:

iptables -I FORWARD ! -s 16.42.64.94 -i ethX -p tcp --dport 80 -j DROP

Please check the rule at the command line, substituting ethX with your WAN interface, before you add it to the custom firewall module.

Is working perfect! Thank you!
How do i set 2 incoming ip adresses?

You can use that for your first custom rule then add further rules:

iptables -I FORWARD -s your_second_IP -i ethX -p tcp --dport 80 -j ACCEPT

or you could change the first rule removing the -s switch so it becomes a single drop rule then have multiple allow rules.

I think you can list up to 16 IP's in a single rule (comma separated), which would work in this case with the ACCEPT rule but it would not work with the DROP rule. This is because the rule instantiates and creates multiple rules, one for each IP, when it loads iptables.

Hi Nick,

How can you set one ip directly to the firewall ? (So the same as before only without forwarding?

Thanks in advance!

1 open the port for example 10000 in question in GUI
2 iptables -I INPUT ! -s ipadress -i ethX -p tcp --dport 10000 -j DROP

:-)

Your solution is a bit heavy handed. As you are using a custom firewall rule anyway, you may as well just do it in a single rule. Do not open the incoming firewall then:

$IPTABLES -I INPUT -s ipadress -p tcp --dport 10000 -j ACCEPT

In the command line use "iptables" but in the custom firewall, use "$IPTABLES".

Hi Nick,

Thank you its working!

Still struggeling with multiple ip address ranges in forwarding rule.
I now have i rule which forwards the oprt and a custom rule:
$IPTABLES -I FORWARD 69.162.124.224/28, 63.143.42.240/28, 216.245.221.80/28 -i enp13s0 -p tcp --dport 10000 -j ACCEPT
But now it allows all ip's to connect.

Port forwarding is a little trickier. You'll need a DROP rule as well for everything which should go above the ACCEPT rule in the custom firewall so it ends up below it in the FORWARD chain. Alternatively, forget the port forward rule in the webconfig and add the PREROUTING and POSTROUTING rules in the custom firewall rule as well as the FORWARD rule.