What's new

How can I restrict incoming IP addresses to ports that have been forwarded?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

halpdesk

New Around Here
I have an NGINX web server running on ports 80 and 443 that I use in conjunction with Cloudflare to externally serve my web applications to my domains/subdomains.

Ideally, I'd like to be able to specify that the following list of Cloudflare IP addresses are the only ones allowed through on those ports:


Any other IP should receive a drop packet under the assumption that if it isn't originating from Cloudflare, it's probably someone with malicious intentions. I'd like to send a drop packet so no one other than Cloudflare will even realize the ports are open.

When you set up a port forward in Asuswrt, I see the option for source IP - can I enter an IP range in this field? And can I enter multiple ranges, or do I need to create a separate port forwarding rule for each of the Cloud flare IP ranges?

Thanks!
 
You can add either a host (199.199.199.199) or network (199.199.199.0/24) in the Source IP field. But you can't add an IP range like you would a port range (e.g., 199.199.199.100:199.199.199.200). Of course, you can create multiple port forwards that differ only by the Source IP.
 
Last edited:
Might be simpler to instead implement the ACL at the nginx end of things if you need to manage multiple subnets.
 
Might be simpler to instead implement the ACL at the nginx end of things if you need to manage multiple subnets.
Would it be possible to implement via iptables? I have an identical use-case and I would like to know if it is possible to implement this on the router side instead...
I tried to implement this on the INPUT chain...but it did not worked. Later I learned that the INPUT chain is used for traffic terminating on the router.

I also learned that the port-forwarding rules are on the nat table (which makes total sense).

After searching a bit on the forum, I think the right way to do this on the router side is either on the FORWARD or VSERVER chain;
In your wiki @RMerlin you mention the use the VSERVER chain, but on another post you also mention the FORWARD chain for a similar use-case.

In your opinion, what is the recommended approach?

Thank you!
 
Last edited:
VSERVER chain will be manipulated whenever port forward rules are changed, while the FORWARD table is really where firewalling is being done.
 
VSERVER chain will be manipulated whenever port forward rules are changed, while the FORWARD table is really where firewalling is being done.
So for this particular case, where I only want to allow incoming connections from certain subnets (ie.: cloudflare) the FORWARD chain is more suitable, as it would be evaluated whether or not I'm using the port-forwarding chain (which I assume is directly bound to the GUI port-forwarding page).

In my case I have the port-forwarding for 443 enabled through the GUI, and if I want to implement firewall rules against it, it should be done on the FOWARD chain.

Am I correct?
 
So for this particular case, where I only want to allow incoming connections from certain subnets (ie.: cloudflare) the FORWARD chain is more suitable, as it would be evaluated whether or not I'm using the port-forwarding chain (which I assume is directly bound to the GUI port-forwarding page).

In my case I have the port-forwarding for 443 enabled through the GUI, and if I want to implement firewall rules against it, it should be done on the FOWARD chain.

Am I correct?
That would make the most sense, yes.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top