How can I restrict incoming IP addresses to ports that have been forwarded?

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.


New Around Here
I have an NGINX web server running on ports 80 and 443 that I use in conjunction with Cloudflare to externally serve my web applications to my domains/subdomains.

Ideally, I'd like to be able to specify that the following list of Cloudflare IP addresses are the only ones allowed through on those ports:

Any other IP should receive a drop packet under the assumption that if it isn't originating from Cloudflare, it's probably someone with malicious intentions. I'd like to send a drop packet so no one other than Cloudflare will even realize the ports are open.

When you set up a port forward in Asuswrt, I see the option for source IP - can I enter an IP range in this field? And can I enter multiple ranges, or do I need to create a separate port forwarding rule for each of the Cloud flare IP ranges?



Very Senior Member
You can add either a host ( or network ( in the Source IP field. But you can't add an IP range like you would a port range (e.g., Of course, you can create multiple port forwards that differ only by the Source IP.
Last edited:


Asuswrt-Merlin dev
Might be simpler to instead implement the ACL at the nginx end of things if you need to manage multiple subnets.

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!