Specify multiple source IP ranges for port forwardings

The port forwards themselves can only match a single IP(-range). I'd prefer not to create 20 duplicate rules to implement this.

So I though I'll just create an unrestricted port forward and add restrictions using traffic rules. Unfortunately, fw4's nftable rules accept all forwarded traffic using ct status dnat accept and I don't see any way to disable that behavior.

I also don't see a way to create negated traffic rules like "if IP != X: drop".

Do you see any way to create this seemingly trivial configuration?

You could use a list:

Hope this helps.


yes that works great, thx. I created a list of negated CIDR-IPs in the traffic rule. Meaning all of those IPs are apparently ANDed together.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.