Community discussions

MikroTik App
 
mi0tx
just joined
Topic Author
Posts: 9
Joined: Thu Dec 10, 2015 7:06 am

Port Forwarding from Certain IP's only

Sat May 06, 2017 8:23 pm

Hello All!

I have Port Forwarding on port 80 enabled and its working fine but I want to restrict it to allow from certain external IP's only and I needed some help getting it to work. Here is my current setup:

Any help would be greatly appreciated!!

WAN: Ether1
LAN: Ether 3
Port Forwarding Device IP on Ether 3: 10.30.200.100
External IP list= AllowList

/ip firewall address-list
add address=69.199.199.199 list=AllowList
add address=69.199.199.198 list=AllowList

/ip firewall filter
add action=accept chain=forward comment="Port Forward 80" dst-address=\
10.30.200.100 dst-address-list=AllowList dst-port=80 protocol=tcp

/ip firewall nat
add action=dst-nat chain=dstnat comment="Port Forward 80" dst-address-list=\
AllowList dst-port=80 in-interface=ether1 protocol=tcp to-addresses=\
10.30.200.100 to-ports=80
 
almdandi
Frequent Visitor
Frequent Visitor
Posts: 64
Joined: Sun May 03, 2015 5:22 pm

Re: Port Forwarding from Certain IP's only

Sun May 07, 2017 2:57 pm

Hello mi0tx

Try this. The first rule will allow all connection on your wan port for which you have a dst-nat rule defined. This way to filter your port forwardings is much more scalable because you need only one rule for all your port forwardings. The second rule is the destination nat rule. Your mistake was to put the AllowList addresslist into the dst-address-list field not in the src-address-list.
;;; Allows all new connection on the wan port with a defined port forwarding 
/ip firewall filter
chain=forward action=accept connection-state=new connection-nat-state=dstnat in-interface=ether1

;;; Port forwarding 
/ip firewall nat
add action=dst-nat chain=dstnat comment="Port Forward 80" src-address-list=AllowList dst-port=80 in-interface=ether1 protocol=tcp to-addresses=10.30.200.100
 
mi0tx
just joined
Topic Author
Posts: 9
Joined: Thu Dec 10, 2015 7:06 am

Re: Port Forwarding from Certain IP's only

Tue May 09, 2017 1:57 am

Thank you almdandi!!!
 
gu1113
just joined
Posts: 2
Joined: Wed Dec 20, 2017 7:35 pm

Re: Port Forwarding from Certain IP's only

Wed May 06, 2020 1:57 am

Hi, this post was very help for me in a problem that is was in to, i didnt make the filter rule so i can nat the desired connections, so my question is..

why its the filter rule needed ?

Thanks!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Port Forwarding from Certain IP's only

Wed May 06, 2020 5:14 am

Hi Gut,
Traffic being forwarded in this case from the internet to the server has to pass through the firewall.
A filter rule tells the router how to handle that traffic.
Normally or more accurately when using the default rules, this case is already covered by the following rule:

add action=drop chain=input comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1

In plain english, drop all traffic from the WAN (unsolicited traffic) except for that traffic that in coming through the WAN port that matches a destination nat rule - meaning its coming in on a port that is identified on a destination nat rule etc..........

Since we dont know your config, the more direct way (or clearer way) of stating this (without the use of the ! symbol - which means everything but what follows it)
chain=forward action=accept connection-state=new connection-nat-state=dstnat in-interface=ether1

A kewl thing with destination nat rules with a source address list --> makes the port not visible on scans.
Without the access list, the port is visible on scans but appears closed.

Who is online

Users browsing this forum: dvaai and 33 guests