What's new

forward ports only only for a specific external ip address

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

pattox

Regular Contributor
Asus rt-56u running merlin firmware.

I have just set up a voip phone service. The service provider requires ports
5060:5069 (udp) for sip
and 10000:200000 (udp) rtp

When I queried the need and security concern for 10000 ports to be opened I was told I could limit access to these ports from a specific ip address (which they gave me) something like xxx.xxx.x.x/24 -obviously there are numbers where the x's are.

This is unfamiliar territory for me so I would appreciate some help.

For instance what the /24 means.

Also how would I set up an arrangement to allow access to these ports from specific ip address .

I read somewhere that ip tables coould be used.

I also read a post bt Merlin where, if I remember correctly, you can use the DNS filter rules to achieve this.

So what can be done?
 
Asus rt-56u running merlin firmware.
-----This is unfamiliar territory for me so I would appreciate some help.

Having thought about this it seems that this can be done quite simply using ip tables using two rules in sequence,

The first line ---- allow anything from a specific ip address
the second line---- drop everything.

So the "allowed ip" passes through, and any other ip is sent to the second line rule and dropped.

a) does this sound right?
b) since my knowledge of ip tables is almost non existent is there anyone (kind soul) who can help write the script which will run automatically on my Asus router.
 
..... For instance what the /24 means......

I can't help you with iptables or scripts, and if you are asking what /24 means, then you are a lot braver than I, being prepared to mess with iptables. It's easy to get wrong and compromise the security and functioning of your whole network.

As for /24, it's an alternative way of describing the subnet mask, and the subnet mask is how one network can be turned into 2 or more networks.

"A subnetwork or subnet is a logical subdivision of an IP network. The practice of dividing a network into two or more networks is called subnetting."

(The most familiar example of a subnet mask is 255.255.255.0, and that is the mask that corresponds to /24.)

I don't pretend to understand it fully, but one thing I find useful when reading up on it, is to play around with a subnet calculator on the Internet or as an app eg Network Toolkit by Paul Borghese for iOS http://www.artisannetworking.com/toolkit
You can enter a network address eg 192.168.1.0 and then move the slider from /24 higher or lower and watch what happens to the maximum number of hosts on each subnet as well as the subnet addresses themselves and the subnet mask. He also give a couple of worked examples in the Help section of the app. There are 3 tools within the app; it's worth playing with both the network tool and the subnet tool and reading the corresponding Help sections.
 
Last edited:
Thank you. My interest in this topic started when my voip provider gave me a list of 10,000 udp ports which needed to be opened and forwarded to my minitar ata. I found very concerning the need open this insanely large number of ports

My first thought was to at least restrict access to these ports to only the voip provider's ip address. With the Asus router the only way to do this appears to be using ip tables about which I have no knowledge.

A little later I realised that an old netgear adsl/wireless router I had was able to do this ip filtering very simply using the netgear gui. I tried this allowing in only the voip's ip address using the netgear as a gateway for the ata and that seemed to work.

Reading further I came across some posts by RMerlin

http://www.snbforums.com/threads/voip-settings.12312/#post-77698

which suggested that no ports needed to be forwarded -except for the sip passthrough option in the Asus router options.

So I totally removed the port forwards in the Asus. After doing so the voip phone seems to work perfectly behind the firewall with no ports open but sip passthrough enabled.

Even though I no longer need to worry about inbound ip filtering its a shame the Asus makes this option so difficult-in contrast to the old netgear.

Also I now know that /24 means the 255.255.255.0 subset
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top