Sorry if this is a dumb question, I'm not network guy
I'm trying to set up port forwarding using ipsets, so I can restrict connection to the forwarded port behind router only from certain IPs (allow to connect only from one contry). I successfully created ipset with IPs, but what is the proper way to implement it ? I think I should use firewall custom rules as Luci doesn't allow specify ipsets, but i don't know how the proper iptable rule(s) shloud looks like.
Thanks
I am not sure either about the correct syntax, but you can ignore Luci to some extent. Luci is only a GUI handling the existing firewall config. The actual firewall package (fw3) is the definite one.
Based on wiki it looks like you can just replace the IP address in normal forward rule with an ipset declaration. It is also mentioned is a redirect advice.
Thank you @hnyman , You pointed me into right direction. I was able to create ipset, than referenced to it in /etc/config/firewall and finally created redirect rules.
Thank you again
Every line represent one ip network in CIDR format.
At the end of the file add this :
sleep 1 /etc/init.d/firewall restart
This will wait 1 second after creating ipset and then restart firewall to allow reference in iptables to this iptest. If you don't add this two commands, firewall rules will be created before ipset exists as firewall is initialized before executing custom files.
Then I uploaded this file into the router (/etc/) and made it executable. In Local Startup configuration in Luci (https://router_ip/cgi-bin/luci/admin/system/startup) I added path to this file and saved settings. This way ipset is recreated after every reboot.
After this I adjusted /etc/config/firewall like this :
config ipset
option external 'NameOfTheIpset'
option match 'src_net'
option family 'ipv4'
option storage 'hash'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option ipset 'NameOfTheIpset'
option proto 'tcp'
option src_dport 'WanPortNumber'
option dest_ip 'IpToRedirect'
option dest_port 'LanPortNumber'
option name 'Name'
First config enables ipset to use in firewall, second shows how to use it in port redirection.
To confirm your ipset is used, type "ipset list" , find your ipset (there will be few another ipsets) and check "Referenced" attribute. This will be the number of how many times your ipset is used. If you use your ipset in two rules there will be number 2.