What am I doing wrong here with my firewall rules here?

I have forwarded a port and I want to allow a connection to this port from only a single external IP address, which I specified in the iptables rules, but my rules appear to not work.

I tried the following two kinds of "formatting" for these rules:

iptables -I INPUT \! --src <IPhere> -m tcp -p tcp --dport <porthere> -j DROP
iptables -t nat -I INPUT \! --src <IPhere> -m tcp -p tcp --dport <porthere> -j DROP

But apparently any IP can connect to that port with both of these rules...
What am I doing wrong? I've tried these rules in the cloud and they seem to have worked there.

Help is much appreciated.

The rewritting of the destination IP takes place in prerouting, so blocking in input has no sense.
This redirect does exactly what you want.

uci add firewall redirect
uci add_list firewall.@redirect[-1].proto='tcp'
uci set firewall.@redirect[-1].src_dport='1234'
uci set firewall.@redirect[-1].dest_ip=''
uci set firewall.@redirect[-1].dest_port='1234'
uci set firewall.@redirect[-1].src='wan'
uci set firewall.@redirect[-1].name='test'
uci set firewall.@redirect[-1].src_ip=''
uci set firewall.@redirect[-1].target='DNAT'
uci set firewall.@redirect[-1].reflection='0'
uci set firewall.@redirect[-1].dest='lan'
uci commit firewall
service firewall restart

Change the IPs and ports and apply it.


Not sure what the slash means...but '!' means does-not-equal. That could have been your issue.

I've seen this in some script encoding before to denote "don't process as syntax", but this is invalid in a iptables rule, as the full command is the syntax.

In any case, it's better to reduce your iptables commands to UCI syntax.

1 Like

\ is probably an escape character? I'm not sure tho, I have this rule saved in a text file from previous experimentation and it used to work.

Thank you for your answer. Is there a more maintainable version of this? a.k.a. something that you can easily turn on and off and modify and etc?

If you write it in the firewall config, then you can add an option disabled to shut the forwarding down, or remove the source condition to allow connection from any IP, or whatever you're trying to modify.

Direct iptables rules should not be needed if the firewall script can do the same thing.


This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.