How can I block all except 1 external IP to a port?


I'm trying whitelist a single external IP for access to a port and reject all others.

This is for voip purposes and has something to do with SIP scanning or something? (I don't know exactly, I just got told to deny all connections to the port unless they were coming from a specific IP.)

I've had a look at the firewall documentation, but I've got pretty much no clue.

At the moment I'm thinking of 2 rules under Firewall > Traffic rules in the luci gui:
Both are tcp and udp

  1. Source zone: wan, Source ip: whitelisted IP, Destination zone: lan, Destination port: 5060, Action accept.
  2. Source zone: wan, Source ip: empty, Destination zone: lan, Destination port: 5060, Action: reject.

I figure that the order of the rules will forward the connection from the whitelisted IP before the second rule can reject it, but I don't know if that's how it will work.

If you have a better way of doing this or know if these rules will work, any help would be appreciated.


The default action on the wan is to drop connections. Therefore, your first rule with the allowed ip is all that is necessary - the second rule is not required.

My impression was that because of the active connection from voip using the port, that it wouldn't drop the connections by default?

who wouldn't drop it ?

the SIP ISP, your SIP bridge, or the router ?

The router

Depends of from where the connection is initiated.

conntrack package might help here.

I've read the thread, and I don't understand enough of the terminology to know how this will help me.

All I'm trying to do is block all incoming wan connections to port 5060 with the exception of what seems to be the external IP of the SIP ISP. I know the IP that needs to be allowed, but I don't how to allow ONLY that IP.

As I mentioned earlier, your first firewall rule is all that is required.

Is there currently a problem? Is it not working as expected?

I've finally had a chance to get back to this, of course the first rule doesn't break anything, but I don't know how to test if I'm protected or not without the second rule.

I was told there would likely be security issues eventually if connections were allowed from anything but the whitelisted IP, so I'm just trying to dot my i's and cross my t's to be sure.

Going reading through a tree of threads from the thread linked by frollic, kmod-nf-nathelper-extra seems to have inherent security issues, but I appear to not need to use it, so I think I'm ok on that front.