Hi,
I have blocked team viewer server:
chain=input action=drop src-address=178.77.120.0/24 log=yes log-prefix=""
How can I allow only one IP address to use teamviewer ?
I don’t think that rule will have any effect. First, the rule is on the input chain, which pertains to connections to your router, not connections to hosts on the LAN. Second, your default rules should already be dropping all external connections to the input chain, unless you have explicitly allowed them.
Also, consider that the default firewall rules will allow an incoming connection (established,related) from that IP range, if an outgoing connection is initiated from a host inside the LAN.
To block team viewer for all but one specific LAN IP, I believe you could:
- Add a filter rule to the forward chain to allow connections to dst-address=178.77.120.0/24 from the src-address of your specific LAN IP, and
- Add a second rule below that to the forward chain to block all connections to dst-address=178.77.120.0/24.
Team Viewer’s knowledge base says team viewer has over 200 servers and are expanding. They won’t publish a list of IPs so you’ll have to update your list via 3rd party sources on a regular basis. TV will prefer port 5938, but fall back on tcp 443 and then tcp 80, so you can’t block by port only.
Your best bet is to use Windows Firewall. You can block all IPs for Team Viewer specifically, then allow only 1 IP. You won’t have the ability to connect by ID anymore, LAN Connections only. I’m not sure if “LAN Connections Only” actually means LAN only, or if you can still connect from externally with port forwarding enabled. ** You must enable LAN connections inside Team Viewer’s options.
This rule didn`t block team viewer. Only when I add team viewer to regexp it block it, but again for all network 
It’s not clear what rule you are referring to when you write “this rule.”
In any case, the rule you wrote (and my response) is based on your assumption that all team viewer servers are on the 178.77.120.0/24 subnet. But, as @van9018 indicated, this may not be the case, and there is no set list of IP addresses, so you cannot easily block by IP address.
Exactly, as @van9018 indicated, there must be a list of IP address.
I managed to block teamviewer by adding regexp in L7protocol, but for all IP address.
I still don’t have solution to allow only one IP address to use teamviewer.
I think I’ve got it…
In Team Viewer options, set “Incoming LAN Connections” to “Accept Exclusively”. Your ID field now shows your IP instead of an ID. Team Viewer is not supposed to connect to Team Viewer servers now. If you don’t trust it, use the L7 to kill *.teamviewer.com dns lookups.
Now you can forward port 5938 TCP to your PC’s IP. From your remote computer, you should be able to specify your public IP in the ID field and connect that way. I just tried this and it works. Now you can put the only whitelisted IP in the NAT rule for source IP. Or use firewall rules for finer control over access.