I have RDS server my customers connecting to it on standard port, but I have so many scans on it and brute force attacks, so I added add to src-list and then block too many login attemps:
add action=drop chain=forward disabled=yes \
dst-port=3389 log-prefix=RDP protocol=tcp src-address-list=rdp_ssh_blacklist
add action=add-src-to-address-list address-list=rdp_ssh_blacklist address-list-timeout=0s chain=forward connection-state=new disabled=yes dst-port=3389 protocol=tcp \
src-address-list=rdp_ssh_stage5
add action=add-src-to-address-list address-list=rdp_ssh_stage5 address-list-timeout=5m chain=forward connection-state=new disabled=yes dst-port=3389 protocol=tcp \
src-address-list=rdp_ssh_stage4
add action=add-src-to-address-list address-list=rdp_ssh_stage4 address-list-timeout=5m chain=forward connection-state=new disabled=yes dst-port=3389 protocol=tcp \
src-address-list=rdp_ssh_stage3
add action=add-src-to-address-list address-list=rdp_ssh_stage3 address-list-timeout=5m chain=forward connection-state=new disabled=yes dst-port=3389 protocol=tcp \
src-address-list=rdp_ssh_stage2
add action=add-src-to-address-list address-list=rdp_ssh_stage2 address-list-timeout=5m chain=forward connection-state=new disabled=yes dst-port=3389 protocol=tcp \
src-address-list=rdp_ssh_stage1
add action=add-src-to-address-list address-list=rdp_ssh_stage1 address-list-timeout=5m chain=forward connection-state=new disabled=yes dst-port=3389 protocol=tcp
but to this list very often are added my known customers they call me "I can't connect" and I have to remove it's from rdp_ssh_blacklist - I don't want to do this everyday.
So I think to configure this RDS serve on non standard port, I don't have any IPNUT rules regarding RDS connection and this worked with no problems only FORWARD rules.
So shoud I only on my DST-NAT rule remove 3389 and enter 3345 port and this will be enough?
add action=dst-nat chain=dstnat comment=RDP dst-address=WAN_IP dst-port=3345 log=yes log-prefix=RDP protocol=tcp to-addresses=10.1.0.204 to-ports=3389
My firewall forward rule for DST-NAT is standard one:
add action=accept chain=forward comment="allow DST-NAT " connection-nat-state=dstnat log-prefix=DST-NAT src-address-list=!rdp_ssh_blacklist