cancel
Showing results for 
Search instead for 
Did you mean: 

Tg582n Setup FTP access but restrict inbound IP

rodandjaxforum
Dabbler
Posts: 13
Registered: ‎06-09-2013

Tg582n Setup FTP access but restrict inbound IP

Hi All,
I have successfully setup a port forward to my FTP server so users can access it from the outside world (WAN?).  I'm using a non std port number which is then port forwarded at the router.  However, I'd like to only allow a certain external IP address through for this specific port number.  Using the Technicolor Tg582n telnet (i presume you can't do this extra thing via it's web interface), can anyone help me figure out how to do this?
Thanks in advance.
Rodp
12 REPLIES 12
bradw
Grafter
Posts: 105
Registered: ‎21-05-2013

Re: Tg582n Setup FTP access but restrict inbound IP

What OS is the FTP server running on? It might be better to configure firewall rules on that server.
rodandjaxforum
Dabbler
Posts: 13
Registered: ‎06-09-2013

Re: Tg582n Setup FTP access but restrict inbound IP

Hi udk,
It's a PVR - Humax HDR Fox T2 so the ftp server is rather basic.  I'm using the custom firmware but I've not come across anything on the webif pages nor telnet pages that might restrict the IP addresses - although I don't really know what I'm looking for.
Hope you can help
Thanks
Rodp
npr
Pro
Posts: 1,898
Thanks: 119
Fixes: 9
Registered: ‎21-01-2013

Re: Tg582n Setup FTP access but restrict inbound IP

Is it just one source IP address you wish to allow and is this the only port forward rule you have or are likely to have?
If the answer to both is yes, then I may have a easy answer -- I need to test it out first though.
rodandjaxforum
Dabbler
Posts: 13
Registered: ‎06-09-2013

Re: Tg582n Setup FTP access but restrict inbound IP

Hi npr,
Well for the time being yes it could just be for one ip I suppose.  Maybe later on I might want to have an additional port open so would be interested in either solution.
Thanks
Rodp
npr
Pro
Posts: 1,898
Thanks: 119
Fixes: 9
Registered: ‎21-01-2013

Re: Tg582n Setup FTP access but restrict inbound IP

What I had in mind is:
1) remove all your existing port forward rules.
2) ensure the PVR is configure to "always use the same IP address" in the routers network settings.
3) do the port forward this method:
http://npr.me.uk/forwardports.html
But in place of the commands show on the website use these slightly modified commands.
Quote
nat tmpladd intf=Internet type=nat outside_addr=1.2.3.4 inside_addr=192.168.1.65
firewall rule add chain=forward_host_service name=test srcintf=wan srcip=1.2.3.4 dstip=192.168.1.65 state=enabled action=accept

Just change 1.2.3.4 to the ip address you wish to allow access from.
And change 192.168.1.65 to the IP address of the PVR.
These command will forward all ports to the PVR, but only from the specified IP.
On draw back is, you can not use any other port forward rules with this method.
edit:
Just remembered you saying your using a non standard port for FTP.
If that's using port translation then the above method may not work.
rodandjaxforum
Dabbler
Posts: 13
Registered: ‎06-09-2013

Re: Tg582n Setup FTP access but restrict inbound IP

That sounds good but yes I was using a non std port but I suppose I could now resort back to std set of ports if I restrict the ip address.  I'll go and read up on those commands to learn a bit more but thanks very much for the guidance.
If I was going to need non std ports and the functionality to control incoming ip's,  is it likely that I'll need to get a better/different router?
Thanks very much.
Rodp
npr
Pro
Posts: 1,898
Thanks: 119
Fixes: 9
Registered: ‎21-01-2013

Re: Tg582n Setup FTP access but restrict inbound IP

Quote from: rodandjaxforum
is it likely that I'll need to get a better/different router?

These Technicolor routers are more configurable than many / most other routers, you just need to use cli commands in place of a GUI. Wink
Let me know the details of the ports (translation) you wish to use and I'll try and suggest a better method to try.

rodandjaxforum
Dabbler
Posts: 13
Registered: ‎06-09-2013

Re: Tg582n Setup FTP access but restrict inbound IP

Hi npr
My port forwarding is something like 43576 to 21.  The cli commands I do agree provides immense flexibility but are pretty full on - I found this doc with them all in but not enough info to give me enough guidance:  http://help.demon.net/files/2013/03/TG582n-CLI-Guide.pdf
Cheers
Rodp
npr
Pro
Posts: 1,898
Thanks: 119
Fixes: 9
Registered: ‎21-01-2013

Re: Tg582n Setup FTP access but restrict inbound IP

Quote from: rodandjaxforum
I found this doc with them all in but not enough info to give me enough guidance:

Try the site in my links Wink
I've tested the following commands and they do enable port forward for FTP, from a single wan IP, but without port translation.
Quote
nat tmpladd group=wan type=napt outside_addr=0.0.0.1 inside_addr=192.168.1.65 foreign_addr=65.112.29.37 protocol=tcp outside_port=21 inside_port=21 weight=50 status=up
nat tmpladd group=wan type=napt outside_addr=0.0.0.1 inside_addr=192.168.1.65 foreign_addr=65.112.29.37 protocol=tcp outside_port=21800-21805 inside_port=21800-21805 weight=50 status=up
firewall rule add chain=forward_host_service name=test srcintf=wan srcip=65.112.29.37 dstip=192.168.1.65 state=enabled action=accept
saveall

Change the outside IP 65.112.29.37 to suit.
Change the inside IP 192.168.1.65 to suit
The following commands have not been tested but should enable port forward with port translation 43576 to 21.
Quote
nat tmpladd group=wan type=napt outside_addr=0.0.0.1 inside_addr=192.168.1.65 foreign_addr=65.112.29.37 protocol=tcp outside_port=43576 inside_port=21 weight=50 status=up
nat tmpladd group=wan type=napt outside_addr=0.0.0.1 inside_addr=192.168.1.65 foreign_addr=65.112.29.37 protocol=tcp outside_port=21800-21805 inside_port=21800-21805 weight=50 status=up
firewall rule add chain=forward_host_service name=test srcintf=wan srcip=65.112.29.37 dstip=192.168.1.65 state=enabled action=accept
saveall

These command should be compatible with port forward rule to other ports.
To delete these commands you first need to identify their index number, see this link for details: http://npr.me.uk/forwardports.html

I strongly recommend creating a backup of your routers config file before playing with these cli setting -- you can get in a terrible mess if not careful.
Restoring the backup will get you back to where you started.
Or a factory reset using the pinhole at the back will do a full reset.

Edit:
saveall command added
rodandjaxforum
Dabbler
Posts: 13
Registered: ‎06-09-2013

Re: Tg582n Setup FTP access but restrict inbound IP

Hi npr,
thanks very much for that - will defo back up my setup beforehand.  I've read somehwere how you list out and get the indexes so will hunt it out.  So to confirm, that command syntax still has the limitation of only one inbound IP from now on but i should in theory be able to do the port forwarding  / translation too.
Thanks for your effort over this and I'll let you know how I get on.
Thanks
Rodp
npr
Pro
Posts: 1,898
Thanks: 119
Fixes: 9
Registered: ‎21-01-2013

Re: Tg582n Setup FTP access but restrict inbound IP

Hi Rodp
I've now tested the above commands to configure "port forward with port translation 43576 to 21" and I can confirm it does what you ask Smiley
ie:
It limits connections from only the IP specified.
Additional allowed IP addresses can be used but I'm not sure of the syntax, (not sure if IP should be separated with a space or comma, a range will be something like 1.2.3.1-255.
The commands as shown will translate a incoming wan port of 43576 to a lan port of 21.
With these commands you can still use the GUI to port forward other ports but you must be careful not to try and PF the same ports already used.
Note:
Don't forget to use the saveall command when you're done, otherwise the settings will be lost at a reboot.

Good luck,
npr
rodandjaxforum
Dabbler
Posts: 13
Registered: ‎06-09-2013

Re: Tg582n Setup FTP access but restrict inbound IP

Hi npr
That's brill.  Thanks very much indeed for your help.
Cheers
Rodp