Hi people.
I’ve created a 1:1 nat with port map
Flags: X - disabled, I - invalid, D - dynamic
0 chain=dstnat action=netmap to-addresses=10.0.0.13 dst-address=x.x.x.1 log=no log-prefix=""
1 chain=srcnat action=netmap to-addresses=x.x.x.1 src-address=10.0.0.13 log=no log-prefix=""
And its working without a problem. Is it possible to filter traffic to that map? Block everything and just leave port, let’s say, 80 open?
Yes, to my knowledge it s possible. The only restriction is to put the firewall rules on the forward chain, as you can see on the traffic flow chart for router os 6 +. That s were the rules will be hit in the firewall.:
NAT doesn’t do anything special, it only changes addresses, you can still do any filtering you like in forward chain. You just need to remember that forward chain is after dstnat processed the packet, so the destination is no longer x.x.x.1, but 10.0.0.13. And the other way around, source is 10.0.0.13, not x.x.x.1, it will be changed to that by srcnat, which occurs after forward.
Thank you both! Worked like a charm.
My error was not changing the destination address in the forward rule to the local one.