Banning External IP's from accessing Internal Services?

user7 · April 29, 2005, 3:35pm

Hi,
My RouterOS is running as an Internet Access Router for my Masqueraded LAN. I have a webcam on an Internal IP which is accessable from the Internet using NAT port mapping.
I would like to kick / ban certain Internet IP’s from abusing the camera by blocking them on the RouterOS Firewall, but I am unable to figure out a rule to catch the traffic. I guess it’s because it’s natt’d traffic - can anyone suggest a rule to do this?

Regards,

Steve Head
TBI

andrewluck · April 29, 2005, 5:40pm

Steve

You need a drop or reject rule in your Forward chain.

Specify the src-add that you wish to block. For the dst-add use :xx where xx is the port number that the service is running on.

e.g. in-interface=Internet src-address=x.x.x.x dst-address=:6881-6999 protocol=tcp action=drop

will block x.x.x.x from accessing services on ports 6881-6999.

Regards

Andrew

user7 · April 30, 2005, 12:05pm

Many thanks Andrew, that’s worked a treat.

Steve Head
TBI