I need advice for firewall rule?

[octopus]

I think you meant to say "firewall off"?

(But turning the firewall off is a really bad idea.)

Sorry if i confuse you, i meant firewall should be on and DMZ for one PC should be off. (DMZ only work for one PC)

 

[octopus]

i tested all this yours suggestions but not working.....problem is probably different LAN addresses, router IP is 192.168.15.1 and PC IP (IPTV) 192.168.15.100....i have no idea....

I don't really get what you want to accomplish here... sorry

 

[bayern1975]

runing iptv service on pc with 192.168.15.100 and that is all....using portforward 4022 to IP of PC....

sent from Kodi 17 Krypton

 

[john9527]

Not an iptables expert...but try this

Enable router firewall and make sure PC is not in DMZ

iptables -I FORWARD -dport 4022 -j DROP
iptables -I FORWARD -s address-to-allow -dport 4022 -j ACCEPT

Try it for one address first, then if it works, repeat the last line for each address you want to allow (order matters, don't change it).

 

[bayern1975]

i have port forwarded to IP of PC....

firewall is enabled, in firewall script i have:

#!/bin/sh
iptables -I FORWARD -s 193.77.157.89 -p tcp --dport 1244 -j DROP

and still have access to my PC from outside.....very strange.....

 

[octopus]

i have port forwarded to IP of PC....

firewall is enabled, in firewall script i have:

#!/bin/sh
iptables -I FORWARD -s 193.77.157.89 -p tcp --dport 1244 -j DROP

and still have access to my PC from outside.....very strange.....

How do test if you have access to pc inside your LAN?

 

[bayern1975]

How do test if you have access to pc inside your LAN?

with mobile phone. that IP from script is current IP from mobile phone....

 

[john9527]

Sorry....but I can't follow what are you doing?
You said you are forwarding port 4022, then show a forward rule for port 1244....
You said your IPTV PC is at 192.168.15.100, then show a forward rule for 192.168.1.50....

 

[bayern1975]

Sorry....but I can't follow what are you doing?
You said you are forwarding port 4022, then show a forward rule for port 1244....
You said your IPTV PC is at 192.168.15.100, then show a forward rule for 192.168.1.50....

yes, i change today IP`s and port.....today is 192.168.1.50 for PC, port forward 1244 and router IP 192.168.1.1.....but now i think it working, i have some space in rules lines....
it is ok now i think....first line drop all IP to port 1244, second line accept one single IP....thank you....

#!/bin/sh
iptables -I FORWARD -p tcp --dport 1244 -j DROP
iptables -I FORWARD -s 193.77.157.89 -p tcp --dport 1244 -j ACCEPT

 

[john9527]

yes, i change today IP`s and port.....today is 192.168.1.50 for PC, port forward 1244 and router IP 192.168.1.1.....but now i think it working, i have some space in rules lines....
it is ok now i think....first line drop all IP to port 1244, second line accept one single IP....thank you....

#!/bin/sh
iptables -I FORWARD -p tcp --dport 1244 -j DROP
iptables -I FORWARD -s 193.77.157.89 -p tcp --dport 1244 -j ACCEPT

Whew....thought maybe I was going crazy

Just as an FYI.....since you are inserting (-I) the rules, they actually get executed in the reverse order that you enter them (the second rule goes in above the first). So you are accepting forwards from the address you allow, then dropping everything else going to that port.