I might be spoiled in hoping for this but is there a WinBox GUI method of making an Address List to only allow certain IP’s or IP ranges from incoming connections and drop the rest?
I think this will be the easiest method to secure an Asterisk deployment, please correct me if I am wrong.
Example: ether1 - iNET. ether6 - LAN.
Probably. You’re a little shy on details.
Let’s say we have a router with a public IP of 1.1.1.1 and a server behind it at 10.0.0.10. We port forward tcp/80 to that server:
/ip firewall nat
add chain=dstnat dst-address=1.1.1.1 protocol=tcp dst-port=80 action=dst-nat to-addresses=10.0.0.10
Now we want to allow only 2.2.2.0/24 and 3.3.3.0/24 to access that server.
/ip firewall address-list
add list=web-server-access address=2.2.2.0/24
add list=web-server-access address=3.3.3.0/24
/ip firewall filter
add chain=forward src-address-list=web-server-access dst-address=10.0.0.10 protocol=tcp dst-port=80 action=accept
add chain=forward dst-address=10.0.0.10 protocol=tcp dst-port=80 action=drop
The GUI and CLI are very similar. To add an address list like that go to IP > Firewall > Address Lists, click the + button to add, and fill out the List and Address fields appropriately. The GUI is an extraordinarily poor way to communicate settings through this forum, though.
You can also put source restrictions directly on the NAT rule:
/ip firewall address-list
add list=web-server-access address=2.2.2.0/24
add list=web-server-access address=3.3.3.0/24
/ip firewall filter
/ip firewall nat
add chain=dstnat dst-address=1.1.1.1 protocol=tcp dst-port=80 action=dst-nat to-addresses=10.0.0.10 src-address-list=web-server-access
This is also useful because you can have the same external port forward to different internal servers based on the source IP connecting.