What's new

Network Services Filter for URL instead IP

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Kamikaze01

Regular Contributor
Hello friends of Asus Merlin :)

Just want to ask if there is a way to set a rule for a device to connect only to specific URL in the WAN?

Background:
I want my to allow security cam only to connect to the specific SMTP Server to send alerts.
No other IP or URL should be allowed.
For external access I use VPN, but I want to get eMail alerts... So i have to allow connection to the SMTP Server.

BUT this SMTP Server sometimes changes the IP :( this is why I want to allow the server URL instead the IP.

Is there a way to do so?

:)

Thanks !!
 
It changes the SMTP server? That seems odd. Is it possible it's using a single domain name that's mapped to multiple public IPs? And when that happens, that causes it to change (usually in round-robin fashion)? Because if it does, then you could determine those public IPs using nslookup and create rules on that basis.

IOW, I doubt the choice of public IP can't be pre-determined to the point you need to depend on the URL.

P.S. Of course, you could probably more easily just allow access based on the SMTP destination port using firewall rules (assuming that's consistent), irrespective of the public IP.
 
Thank u @eibgrad for your participation and quick response :)


Let's think my security cam is 192.168.1.2.
The SMTP Port is well known 587.

So how to set the correct firewall rules?

Because this will result in deny of all other clients in my LAN :( everything is offline...
Screenshot_20220308-223551_Chrome.jpg
 
Because this will result in deny of all other clients in my LAN :( everything is offline...

I know. That's why creating an Allow list isn't practical in most cases. You need to add firewall rules for such purposes using a firewall-start script.

Code:
#!/bin/sh

SCRIPTS_DIR='/jffs/scripts'
SCRIPT="$SCRIPTS_DIR/firewall-start"

mkdir -p $SCRIPTS_DIR

create_script() {
cat << 'EOF' > $SCRIPT
#!/bin/sh
iptables -I FORWARD -s 192.168.1.2 -j REJECT
iptables -I FORWARD -s 192.168.1.2 -p tcp --dport 587 -j ACCEPT
EOF
chmod +x $SCRIPT
}

if [ -f $SCRIPT ]; then
    echo "error: $SCRIPT already exists; requires manual installation"
else
    create_script
    echo 'Done.'
fi
:

You need to enable JFFS scripts in Administration > System. Then copy/paste the above into the window of an SSH session and reboot the router. Note, it will NOT overwrite an pre-existing firewall-start script, including itself.
 
You're my man :cool:

That was what I need to know.
Thank u very much !!!
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top