Firewall rules

StarSaber · December 16, 2016, 7:30am

i need some help to.

i have /28 public adresses. all adresses are set to Wan interface, i have net map 1:1 (for example 10.1.1.2 to X.X.X.131, 10.1.1.3 to X.X.X.132 and etc.)

 1    chain=dstnat action=netmap to-addresses=10.1.1.2 dst-address=X.X.X.131>
      log=no log-prefix="" 

 2    chain=srcnat action=netmap to-addresses=X.X.X.131 src-address=10.1.1.2.>
      log=yes log-prefix=""

and i want to “open” particular tcp ports from outside and block all other incoming traffic.

but when i add rule in firewall for example:

1    chain=input action=drop protocol=icmp dst-address=X.X.X.131 log=no log-prefix=""

it doesnt match incoming ping packets from outside. and im bit confused.

Rudios · December 20, 2016, 6:12am

That is because the dst-nat rule is carried out before the filter rule is applied, and after the dst-nat rule is applied your dst-address is not your public IP anymore but the 10.x.y.z. address.
Also you have to handle the filter rules on your forward chain instead of your input because of this dst-address.