Network Services Filter for URL instead IP

[Kamikaze01]

Hello friends of Asus Merlin

Just want to ask if there is a way to set a rule for a device to connect only to specific URL in the WAN?

Background:
I want my to allow security cam only to connect to the specific SMTP Server to send alerts.
No other IP or URL should be allowed.
For external access I use VPN, but I want to get eMail alerts... So i have to allow connection to the SMTP Server.

BUT this SMTP Server sometimes changes the IP this is why I want to allow the server URL instead the IP.

Is there a way to do so?



Thanks !!

 

[eibgrad]

It changes the SMTP server? That seems odd. Is it possible it's using a single domain name that's mapped to multiple public IPs? And when that happens, that causes it to change (usually in round-robin fashion)? Because if it does, then you could determine those public IPs using nslookup and create rules on that basis.

IOW, I doubt the choice of public IP can't be pre-determined to the point you need to depend on the URL.

P.S. Of course, you could probably more easily just allow access based on the SMTP destination port using firewall rules (assuming that's consistent), irrespective of the public IP.

 

[Kamikaze01]

Thank u @eibgrad for your participation and quick response


Let's think my security cam is 192.168.1.2.
The SMTP Port is well known 587.

So how to set the correct firewall rules?

Because this will result in deny of all other clients in my LAN everything is offline...

 

[eibgrad]

Because this will result in deny of all other clients in my LAN everything is offline...

I know. That's why creating an Allow list isn't practical in most cases. You need to add firewall rules for such purposes using a firewall-start script.

#!/bin/sh

SCRIPTS_DIR='/jffs/scripts'
SCRIPT="$SCRIPTS_DIR/firewall-start"

mkdir -p $SCRIPTS_DIR

create_script() {
cat << 'EOF' > $SCRIPT
#!/bin/sh
iptables -I FORWARD -s 192.168.1.2 -j REJECT
iptables -I FORWARD -s 192.168.1.2 -p tcp --dport 587 -j ACCEPT
EOF
chmod +x $SCRIPT
}

if [ -f $SCRIPT ]; then
    echo "error: $SCRIPT already exists; requires manual installation"
else
    create_script
    echo 'Done.'
fi
:

You need to enable JFFS scripts in Administration > System. Then copy/paste the above into the window of an SSH session and reboot the router. Note, it will NOT overwrite an pre-existing firewall-start script, including itself.

 

[Kamikaze01]

You're my man

That was what I need to know.
Thank u very much !!!