1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

forward ports only for specific IPs?

Discussion in 'HyperWRT Firmware' started by plugh, Sep 4, 2007.

  1. plugh

    plugh Network Guru Member

    I'm guessing this is a case for a 'firewall script'...

    I want to open/forward some ports, but only for connects coming from a few specific IPs. To everyone else the ports should be blocked as they normally would be.

    If such a setup is possible, can someone post an example script?

    Thanks!
     
  2. kop48

    kop48 Network Guru Member

    iptables -A INPUT -i $WAN_IFACE -p TCP --destination-port $PORT -s $SOURCE_IP -j ACCEPT

    Should do it, I think!
     
  3. plugh

    plugh Network Guru Member

    Thanks!

    $PORT and $SOURCE_IP are obvious - what is $WAN_IFACE for the sl54?
     
  4. plugh

    plugh Network Guru Member

    nvram get wan_ifname
    returned 'eth1', so I tried it for $WAN_IFACE in your example.

    I created a firewall script with the line you indicated, substituting values for $wan_iface, $port, and $source_ip. I then added a port forward for that port in the webgui, pointing it at the server. I then rebooted the router.

    Unfortunately, I was still able to connect to the server from an IP address other than the one I specified.

    Help?
     
  5. plugh

    plugh Network Guru Member

    After poking at this for longer than I liked, I came up with this...

    Configure the port forward in the webgui, then add the following firewall script:

    iptables -D FORWARD #
    iptables -I FORWARD # -p tcp -s X.X.X.X -d 192.168.1.D --dport PPPP -j logaccept
    iptables -I FORWARD # -p tcp -s Y.Y.Y.Y -d 192.168.1.D --dport PPPP -j logaccept
    iptables -I FORWARD # -p tcp -s Z.Z.Z.Z -d 192.168.1.D --dport PPPP -j logaccept
    ...

    where PPPP is port, X,Y,Z are permitted IPs, D is targeted server, and the '#' is determined by doing an "iptables -L" command and identifying the ordinal number of the rule the webgui created in the FORWARD chain for the port forwarding.

    Probably cleaner ways of doing it, but it works...
     
  6. kop48

    kop48 Network Guru Member

    Oops, that was noobie of me - I wrote the rule as if the router was the endpoint.

    My bad.
     

Share This Page