Restrict open port to specific IP addresses (iptables)

[randalla]

I use my RT-N66U in my work office. For what I do, I have a port open on the router, which was simple to do with the built in NAT. However, what I need to do is restrict that port to only be accessible on the WAN by a couple of specific external IPs.

I bought the RT-N66U understanding that it was Linux based with iptables, which should be able to do what I want. I can telnet in and play with iptables, but I don't know what to add to the filter table (if that's the right one) to drop the connection except from my allowed IPs.

I am currently using my Windows firewall to do what I'm trying to do on the router, but it's not an ideal solution as it conflicts with another firewall service. I can't go into details on that.

Any help would be greatly appreciated.

Other things: The RT-N66U is currently stock, with firmware version 3.0.0.4.270. I understand that any changes I make to iptables will not persist beyond reboots, and this is fine for now. I'll move over to the jffs enabled version I've seen here, once I know that it all works.

 

[coxhaus]

I don't own a Asus router but most routers allow you to create an ACL (access list) on the WAN side to only allow certain IP addresses in and restrict them to certain ports. I would think you could do this.

 

[vdemarco]

I use my RT-N66U in my work office. For what I do, I have a port open on the router, which was simple to do with the built in NAT. However, what I need to do is restrict that port to only be accessible on the WAN by a couple of specific external IPs.

I bought the RT-N66U understanding that it was Linux based with iptables, which should be able to do what I want. I can telnet in and play with iptables, but I don't know what to add to the filter table (if that's the right one) to drop the connection except from my allowed IPs.

I am currently using my Windows firewall to do what I'm trying to do on the router, but it's not an ideal solution as it conflicts with another firewall service. I can't go into details on that.

Any help would be greatly appreciated.

Other things: The RT-N66U is currently stock, with firmware version 3.0.0.4.270. I understand that any changes I make to iptables will not persist beyond reboots, and this is fine for now. I'll move over to the jffs enabled version I've seen here, once I know that it all works.

On my machine with Merlin's firmware i have restricted access to ssh (port 22) which is forwarded to a machine on my network. The routers ssh port isn't open on the wan.

i have this in my nat-start script /jffs/scripts/nat-start


#!/bin/sh

# load ipset modules
#
IPSET_PATH=/lib/modules/2.6.22.19/kernel/net/ipv4/netfilter
insmod $IPSET_PATH/ip_set.ko
insmod $IPSET_PATH/ip_set_nethash.ko
insmod $IPSET_PATH/ip_set_iphash.ko
insmod $IPSET_PATH/ipt_set.ko

# load the recent module suport iptables -m recent
#
modprobe xt_recent

# if somebody tries to ssh in more than 4 times in 60 seconds, then drop the connection
#
iptables -t nat -N SSH_CHECK
iptables -t nat -I VSERVER -p tcp --dport 22 -m state --state NEW -j SSH_CHECK
iptables -t nat -A SSH_CHECK -m recent --set --name SSH
iptables -t nat -I SSH_CHECK -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP

# block incoming traffic from some countries.
ipset -q --destroy BlockedCountries
ipset --restore < /jffs/scripts/ipset.save
iptables -t nat -I PREROUTING -m set --set BlockedCountries src -j DROP

----------

the ipset stuff at the end blocks anyone that is in China, etc.

If you wanted it to be a white list you could do that not sure of the syntax but you could google for it.

 

[RMerlin]

For a port-forward rule that would only allow a specific IP in, see the example on the Wiki.

 

[coxhaus]

Just curious about the ASUS routers, do they not have a GUI with where you can assign ACLs on the WAN interface?