Allowing specfic ip's to access port forwarding

Nico1320 · July 13, 2021, 4:52pm

Hello guys, I want to port forward nginx ports to wan but only allowing cloudflare ip's while dropping others so my ports can stay stealth. is it possible?

config rule
	option name 'Allow Cloudflare to Nginx'
	option src 'wan'
	list src_ip '103.21.244.0/22'
	list src_ip '103.22.200.0/22'
	list src_ip '103.31.4.0/22'
	list src_ip '104.16.0.0/13'
	list src_ip '104.24.0.0/14'
	list src_ip '108.162.192.0/18'
	list src_ip '131.0.72.0/22'
	list src_ip '141.101.64.0/18'
	list src_ip '162.158.0.0/15'
	list src_ip '172.64.0.0/13'
	list src_ip '173.245.48.0/20'
	list src_ip '188.114.96.0/20'
	list src_ip '190.93.240.0/20'
	list src_ip '197.234.240.0/22'
	list src_ip '198.41.128.0/17'
	option src_port '443 80'
	option dest 'lan'
	list dest_ip '192.168.0.4'
	option dest_port '443 80'
	option target 'ACCEPT'
	option enabled '0'

ASFP · July 13, 2021, 6:13pm

The rule shown is forwarding from wan to lan. Is that a mispronunciation or is the rule wrong?

Nico1320 · July 13, 2021, 6:32pm

I want to forward ports to wan but only certain ip's can access the forwarded ports from wan. I'm not sure if I'm heading in the right direction. The rule probably doesn't make sense.

frollic · July 13, 2021, 6:48pm

Depends on what you want to achieve, doesn't it?

ASFP · July 13, 2021, 7:01pm

So do you want to forward from lan->wan or wan->lan? the rule above would forward wan->lan

trendy · July 13, 2021, 7:01pm

config redirect
	option name 'Allow Cloudflare to Nginx'
	option src 'wan'
	list src_ip '103.21.244.0/22'
	list src_ip '103.22.200.0/22'
	list src_ip '103.31.4.0/22'
	list src_ip '104.16.0.0/13'
	list src_ip '104.24.0.0/14'
	list src_ip '108.162.192.0/18'
	list src_ip '131.0.72.0/22'
	list src_ip '141.101.64.0/18'
	list src_ip '162.158.0.0/15'
	list src_ip '172.64.0.0/13'
	list src_ip '173.245.48.0/20'
	list src_ip '188.114.96.0/20'
	list src_ip '190.93.240.0/20'
 	list src_ip '197.234.240.0/22'
	list src_ip '198.41.128.0/17'
	option src_dport '443 80'
	option dest 'lan'
	list dest_ip '192.168.0.4'
	option dest_port '443 80'
	option target 'ACCEPT'

Nico1320 · July 13, 2021, 7:31pm

got error: (uci.get(...) || "").toLowerCase is not a function, im gonna try to use ipset.

Nico1320 · July 13, 2021, 7:52pm

Ok, this worked for me. Now my ports is stealth again, no nmap etc.

config redirect
        option target 'DNAT'
        option name 'Pi Nginx (1)'
        option src 'wan'
        option src_dport '443'
        option ipset 'cloudflare'
        option dest 'lan'
        option dest_port '443'
        option dest_ip '192.168.0.4'

config ipset
        option name 'cloudflare'
        option match 'src_net'
        option storage 'hash:ip'
        option enabled '1'
        list entry '103.21.244.0/22'
        list entry '103.22.200.0/22'
        list entry '103.31.4.0/22'
        list entry '104.16.0.0/13'
        list entry '104.24.0.0/14'
        list entry '108.162.192.0/18'
        list entry '131.0.72.0/22'
        list entry '141.101.64.0/18'
        list entry '162.158.0.0/15'
        list entry '172.64.0.0/13'
        list entry '173.245.48.0/20'
        list entry '188.114.96.0/20'
        list entry '190.93.240.0/20'
        list entry '197.234.240.0/22'

frollic · July 13, 2021, 7:58pm

your IP is never "stealth", whatever that means.

Nico1320 · July 13, 2021, 7:59pm

Doesn't respond to ICMP pings*

system · July 23, 2021, 8:00pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.