How do I port forward and limit connections to specific IPs

gerakon · May 24, 2014, 6:47am

I have a camera and a couple of other services that I would like to port forward, but would also like to limit external to connections to specific IP addresses (my cell providers IP network).
Can I do the following? Is there a certain order that the add chain options should be specified? Is there a better way to accomplish this?

/ip firewall address-list add address=80.192.0.1-80.223.255.254 list=camerausers
/ip firewall address-list add address=184.184.184.145 list=camerausers


add chain=dstnat dst-address=206.206.206.7 protocol=tcp dst-port=5005 src-address-list=camerausers protocol=tcp dst-port=5005 action=dst-nat to-addresses=172.16.14.10 to-ports=5005
add chain=dstnat dst-address=206.206.206.7 protocol=tcp dst-port=5000 src-address-list=camerausers protocol=tcp dst-port=5000 action=dst-nat to-addresses=172.16.14.10 to-ports=5000
add chain=dstnat dst-address=206.206.206.7 protocol=tcp dst-port=21 src-address-list=camerausers protocol=tcp dst-port=21 action=dst-nat to-addresses=172.16.14.10 to-ports=21

j7n · May 28, 2014, 11:44am

This should work just fine to limit the availability of these servers to specific src-addresses. Any NAT rule can have src-address or src-address-list added to it if needed. I have used it to limit access to a SMB share. You can even have different servers for different source IPs on the same port.

The order of dst-nats would matter if you had two or more matching the same address:port. Then I would put the more restrictive (with a src-address) before a less restrictive (any src-address).

gerakon · June 13, 2014, 3:45pm

Thank you for the reply. Sorry I didn’t get a chance to try it sooner, but it doesn’t seem to work.

[admin@PKRB2011] > add chain=dstnat dst-address=206.206.206.7 protocol=tcp dst-port=5005 src-address-list=camerausers protocol=tcp dst-port=5005 action=dst-nat to-addresses=172.16.14.10 to-ports=5005
syntax error (line 1 column 44)
[admin@PKRB2011] > add chain=dstnat dst-address=206.206.206.7 protocol=tcp dst-port=5000 src-address-list=camerausers protocol=tcp dst-port=5000 action=dst-nat to-addresses=172.16.14.10 to-ports=5000
syntax error (line 1 column 44)
[admin@PKRB2011] > add chain=dstnat dst-address=206.206.206.7 protocol=tcp dst-port=21 src-address-list=camerausers protocol=tcp dst-port=21 action=dst-nat to-addresses=172.16.14.10 to-ports=21
syntax error (line 1 column 44)

In this error message, it highlights the equals sign in the dst-address section in red. I assume that’s where there’s a syntax problem?
I reviewed some of my regular port forward rules that don’t have the external limited ip access and noticed that they had "add action=dst-nat at the beginning so I tried that as well, but the result was the same. Does anyone have any thoughts what I’m doing wrong?
Thanks

add action=dst-nat chain=dstnat dst-address=206.206.206.7 dst-port=465 protocol=tcp to-addresses=172.16.14.3 to-ports=465