I have forwarded a port and I want to allow a connection to this port from only a single external IP address, which I specified in the iptables rules, but my rules appear to not work.
I tried the following two kinds of "formatting" for these rules:
But apparently any IP can connect to that port with both of these rules...
What am I doing wrong? I've tried these rules in the cloud and they seem to have worked there.
The rewritting of the destination IP takes place in prerouting, so blocking in input has no sense.
This redirect does exactly what you want.
uci add firewall redirect
uci add_list firewall.@redirect[-1].proto='tcp'
uci set firewall.@redirect[-1].src_dport='1234'
uci set firewall.@redirect[-1].dest_ip='10.0.2.3'
uci set firewall.@redirect[-1].dest_port='1234'
uci set firewall.@redirect[-1].src='wan'
uci set firewall.@redirect[-1].name='test'
uci set firewall.@redirect[-1].src_ip='123.123.123.123'
uci set firewall.@redirect[-1].target='DNAT'
uci set firewall.@redirect[-1].reflection='0'
uci set firewall.@redirect[-1].dest='lan'
uci commit firewall
service firewall restart
Not sure what the slash means...but '!' means does-not-equal. That could have been your issue.
I've seen this in some script encoding before to denote "don't process as syntax", but this is invalid in a iptables rule, as the full command is the syntax.
In any case, it's better to reduce your iptables commands to UCI syntax.
If you write it in the firewall config, then you can add an option disabled to shut the forwarding down, or remove the source condition to allow connection from any IP, or whatever you're trying to modify.
Direct iptables rules should not be needed if the firewall script can do the same thing.