Hey Guys & Gals,
I have a need to source IP limit a 1-to-1 port NAT rule and was wondering how to go about it.
I have the rule built in the GUI - there is only one port/rule in play. I assume I have to have something in the GUI to build the Public IP bind. The rule works fine - the port/IP is available publicly as expected. What I would like to do is add a Custom rule to limit which public/source IPs can access this. Any help much appreciated:
0 0 DNAT udp -- * * 0.0.0.0/0 97.<sn.ip>.195 udp dpt:31199 to:10.103.1.3
0 0 SNAT udp -- * * 10.103.1.0/24 10.103.1.3 udp dpt:31199 to:10.103.1.254
0 0 ACCEPT icmp -- ens161 * 0.0.0.0/0 10.103.1.3 icmptype 0
0 0 ACCEPT icmp -- ens161 * 0.0.0.0/0 10.103.1.3 icmptype 3
0 0 ACCEPT icmp -- ens161 * 0.0.0.0/0 10.103.1.3 icmptype 8
0 0 ACCEPT icmp -- ens161 * 0.0.0.0/0 10.103.1.3 icmptype 11
0 0 DROP icmp -- ens161 * 0.0.0.0/0 10.103.1.3
14M 13G ACCEPT udp -- ens161 * 0.0.0.0/0 10.103.1.3 udp dpt:31199
Cheers!
Jim
I have a need to source IP limit a 1-to-1 port NAT rule and was wondering how to go about it.
I have the rule built in the GUI - there is only one port/rule in play. I assume I have to have something in the GUI to build the Public IP bind. The rule works fine - the port/IP is available publicly as expected. What I would like to do is add a Custom rule to limit which public/source IPs can access this. Any help much appreciated:
0 0 DNAT udp -- * * 0.0.0.0/0 97.<sn.ip>.195 udp dpt:31199 to:10.103.1.3
0 0 SNAT udp -- * * 10.103.1.0/24 10.103.1.3 udp dpt:31199 to:10.103.1.254
0 0 ACCEPT icmp -- ens161 * 0.0.0.0/0 10.103.1.3 icmptype 0
0 0 ACCEPT icmp -- ens161 * 0.0.0.0/0 10.103.1.3 icmptype 3
0 0 ACCEPT icmp -- ens161 * 0.0.0.0/0 10.103.1.3 icmptype 8
0 0 ACCEPT icmp -- ens161 * 0.0.0.0/0 10.103.1.3 icmptype 11
0 0 DROP icmp -- ens161 * 0.0.0.0/0 10.103.1.3
14M 13G ACCEPT udp -- ens161 * 0.0.0.0/0 10.103.1.3 udp dpt:31199
Cheers!
Jim
In 1-to-1 NAT
Share this post:
Accepted Answer
Hi Jim,
A couple of things come to mind using the custom firewall. Both use the fact that custom firewall rule get applied after 1-to-1 NAT and any other webconfig based firewall rules, so the idea would be to add a very similar rule to the PREROUTING or FORWARD rule with a "! -s your-wanted-source-ip" and drop all matching packeds. This won't work in the PREROUTING chain as you cannot DROP but you can redirect to a non-existent IP. So try something like this at the command line:
Please try the rule at the command line first to see if there are errors. I may have my syntax a bit wrong, but I am away and can't easily test. If it works, put it in the custom firewall module, but change "iptables" to "$IPTABLES"
A couple of things come to mind using the custom firewall. Both use the fact that custom firewall rule get applied after 1-to-1 NAT and any other webconfig based firewall rules, so the idea would be to add a very similar rule to the PREROUTING or FORWARD rule with a "! -s your-wanted-source-ip" and drop all matching packeds. This won't work in the PREROUTING chain as you cannot DROP but you can redirect to a non-existent IP. So try something like this at the command line:
iptables -I PREROUTING -t nat ! -s your_wanted_source_ip -d your_WAN_IP -p udp --dport 31199 -j SNAT --to-destination your_black_hole_ipiptables -I FORWARD -i ens161 ! -s your_wanted_source_ip -d 10.103.1.3 -p udp --dport 31199 -j DROPPlease try the rule at the command line first to see if there are errors. I may have my syntax a bit wrong, but I am away and can't easily test. If it works, put it in the custom firewall module, but change "iptables" to "$IPTABLES"
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »