How can I restrict incoming IP addresses to ports that have been forwarded?

[halpdesk]

I have an NGINX web server running on ports 80 and 443 that I use in conjunction with Cloudflare to externally serve my web applications to my domains/subdomains.

Ideally, I'd like to be able to specify that the following list of Cloudflare IP addresses are the only ones allowed through on those ports:

IP Ranges

This page is intended to be the definitive source of Cloudflare’s current IP ranges.

www.cloudflare.com

Any other IP should receive a drop packet under the assumption that if it isn't originating from Cloudflare, it's probably someone with malicious intentions. I'd like to send a drop packet so no one other than Cloudflare will even realize the ports are open.

When you set up a port forward in Asuswrt, I see the option for source IP - can I enter an IP range in this field? And can I enter multiple ranges, or do I need to create a separate port forwarding rule for each of the Cloud flare IP ranges?

Thanks!

 

[eibgrad]

You can add either a host (199.199.199.199) or network (199.199.199.0/24) in the Source IP field. But you can't add an IP range like you would a port range (e.g., 199.199.199.100:199.199.199.200). Of course, you can create multiple port forwards that differ only by the Source IP.

 

[RMerlin]

Might be simpler to instead implement the ACL at the nginx end of things if you need to manage multiple subnets.

 

[calex]

Might be simpler to instead implement the ACL at the nginx end of things if you need to manage multiple subnets.

Would it be possible to implement via iptables? I have an identical use-case and I would like to know if it is possible to implement this on the router side instead...
I tried to implement this on the INPUT chain...but it did not worked. Later I learned that the INPUT chain is used for traffic terminating on the router.

I also learned that the port-forwarding rules are on the nat table (which makes total sense).

After searching a bit on the forum, I think the right way to do this on the router side is either on the FORWARD or VSERVER chain;
In your wiki @RMerlin you mention the use the VSERVER chain, but on another post you also mention the FORWARD chain for a similar use-case.

In your opinion, what is the recommended approach?

Thank you!

 

[RMerlin]

VSERVER chain will be manipulated whenever port forward rules are changed, while the FORWARD table is really where firewalling is being done.

 

[calex]

VSERVER chain will be manipulated whenever port forward rules are changed, while the FORWARD table is really where firewalling is being done.

So for this particular case, where I only want to allow incoming connections from certain subnets (ie.: cloudflare) the FORWARD chain is more suitable, as it would be evaluated whether or not I'm using the port-forwarding chain (which I assume is directly bound to the GUI port-forwarding page).

In my case I have the port-forwarding for 443 enabled through the GUI, and if I want to implement firewall rules against it, it should be done on the FOWARD chain.

Am I correct?

 

[RMerlin]

So for this particular case, where I only want to allow incoming connections from certain subnets (ie.: cloudflare) the FORWARD chain is more suitable, as it would be evaluated whether or not I'm using the port-forwarding chain (which I assume is directly bound to the GUI port-forwarding page).

In my case I have the port-forwarding for 443 enabled through the GUI, and if I want to implement firewall rules against it, it should be done on the FOWARD chain.

Am I correct?

That would make the most sense, yes.