NAT forwarding port firewall setting problem

toadzhou · December 20, 2018, 3:23am

I want to externally only allow 192.168.2.132 to access 8080 other requests all drop
This 8080 is a port that forwards the intranet, but it does not work according to the settings below. Is that something wrong with me? Please forgive me for asking a lower level question.

# run show interfaces ethernet 
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth0             192.168.1.78/24                   u/u  WAN 
eth1             10.0.0.1/24                       u/u  LAN 
[edit]
# show nat 
 destination {
     rule 10 {
         description 192.168.1.78:8080->10.0.0.100:80
         destination {
             address 192.168.1.78
             port 8080
         }
         inbound-interface eth0
         protocol tcp
         translation {
             address 10.0.0.100
             port 80
         }
     }
 }
 source {
     rule 100 {
         outbound-interface eth0
         source {
             address 10.0.0.0/24
         }
         translation {
             address masquerade
         }
     }
 }
[edit]
# show firewall 
 name test-fw {
     default-action drop
     rule 1 {
         action accept
         state {
             established enable
             related enable
         }
     }
     rule 2 {
         action accept
         destination {
             port 8080
         }
         protocol tcp
         source {
             address 192.168.2.132
         }
     }
 }
[edit]
vyos@route1# show interfaces ethernet eth0 firewall 
 in {
     name test-fw
 }
 local {
     name test-fw
 }

kroy · December 20, 2018, 5:50am

NAT happens before firewalling. So your firewall rule would need to allow port 80 (the translated address/port), not 8080. To properly limit it, you might want to add the 10.0.0.100 address to the destination section of the firewall too.