Code: Select all
add action=accept chain=forward comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid forward" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WANs
Once I set a port forwarding (dst-nat) rule to a LAN machine, this machine is reachable from ANYONE hitting that port from internet.
What's the correct method to drop any connection from internet to a dst-natted machine except the desired external ip address ?
Why there is not an ending "drop-all" rule in the forward chain like the one in input chain ?