I had a hunt through previous queries and wasnt able to find the answer. Im trying to work out how to restrict access to a DSTNAT ive setup. Ideally I want to publish a service to a public IP (TCP/8080) however I want to restrict who can access this NAT.
Ive created the NAT as per below, however Im not sure how to restrict access to this NAT to a source list.
Should I just be creating a normal FW rule with the NAT public as the destination address, and using a source address list to filter the NAT traffic?
Appreciate any feedback, ive been testing all morning and cant get any hits on the FW rules, and all the checks im doing seem to be showing the port is publicly open externally.
Simply add src-address-list= directly to dstnat rule. It would be possible to do it using firewall filter too, but why allow something through dstnat, when you’re going to block it right away after that.
If you want to know why you failed with filter, you’d have to use dst-address=, because filter is after dstnat, so it doesn’t see original destination address (your public address) anymore.
Thanks for feedback Sob, I tried adding the source list statement on the Nat originally and none of the devices would connect. I’m obviously doing something wrong, I’ll go back and reassess what I’m doing wrong.
/IP firewall nat
add action=dst-nat chain=dstnat comment=“Unifi TCP/8080 from xxxx” dst-address=y.y.y.y src-address-list=“something you made up in your address list (aka list of x.x.x.x)” dst-port=8080 in-interface=ether1 log=yes log-prefix=NAT-Unifi-8080 protocol=tcp to-addresses=z.z.z.z to-ports=8080
I see “Unify” in the FW-rule, make sure you patched it for LOG4J whenever you expose something like that…at least a good start to filter already based on SRC-IP (which you should try to do as much as possible)
Sob is correct (happens..) the source address list is the way to go for two reasons.
you maintain an authorized list of users
the port is invisible on scans… (without src address - its visible on scans and appears closed).
Further, there is no reason why folks cannot give you either
a. their fixed/wanip address to put into the firewall address list you make, OR
b. provide you with the DYNDNS URL (domain type name) for their DYNAMIC WANIP scenario.. *******
******* there are many places providing FREE dyndns urls for them to get. When you put their dyndns URL in the firewall address list the MT router will resolve it to an IP address for you.
However, the best thing for you to do is show us the complete config as it sounds like their are possibly other issues.
/export hide-sensitive file=anynameyouwish