Hi,
Would you please help me with some info?
I have an RB2011UiAS-2HnD-IN.
these subnets configured on it:
192.168.10.0/24
192.168.12.0/24
192.168.16.0/24
3 separate DHCP servers for each.
I just want to prevent specific IPs to go on internet but in the same time to be contacted from internet with port forward.
for example:
IP 192.168.10.100 to ONLY be blocked to go on internet not on all the subnets.
Thanks in advance,
N
Re: block an ip to go in internet
Set up rules in ip firewalls forward chain, to block or accept whatever addresses you need.
Re: block an ip to go in internet
Set up rules in ip firewalls forward chain, to block or accept whatever addresses you need.
I know that i need to set up an firewall rule, but i don't know how to block that ip to go in internet but in the same time to be accessed from internet via port forward on port 80 for example.
Thanks,
N
Re: block an ip to go in internet
You will need to add rules allowing communication between the 3 subnets then directly below you will need to create a forward rule that drops traffic with a source of the server 192.168.10.100 destination 0.0.0.0/0. this will drop the traffic from that server to anything that has not matched the rules above.
Code: Select all
ip firewall filter add chain=forward src-address=192.168.8.0/21 dst-address=192.168.8.0/21 actio
n=accept
ip firewall filter add chain=forward src-address=192.168.10.100 dst-adress=0.0.0.0/0 action=dropRe: block an ip to go in internet
Code: Select all
ip firewall filter add chain=forward src-address=192.168.10.100 protocol=tcp src-port=80 action=
accept
ip firewall filter add chain=forward dst-address=192.168.10.100 protocol=tcp dst-port=80 action=
accept
Re: block an ip to go in internet
Use connection state, src-address, and out-interface as your keys:Set up rules in ip firewalls forward chain, to block or accept whatever addresses you need.
I know that i need to set up an firewall rule, but i don't know how to block that ip to go in internet but in the same time to be accessed from internet via port forward on port 80 for example.
Thanks,
N
action=drop src-address=192.168.10.100 out-interface=wan
As long as this rule comes after "accept connection-state=established,related" then you'll be fine because an incoming connection from the WAN will cause the replies from this host to be in the "established" state of the router's connection tracking, so these replies will not reach this new rule.
New connections from the host to the Internet, however, will NOT match the established,realted rule, so the packet will continue down the chain until it reaches this rule, where it will be dropped. Since it's your own server, you may want things to fail quickly instead of waiting for a timeout - so you should probably use one of the reject actions instead of a drop.
Furthermore, you would probably be better off matching the src-mac-address of the host instead of its IP address - that way, if the host's address changes, it won't magically get allowed on the Internet.