Page 1 of 1
					
				How to setup a port forward but for only one souce IP address?
				Posted: Mon Apr 13, 2020 6:26 pm
				by kcantrel
				I have a server on the LAN side of an old Netgear WNDR3700v2 running Gargoyle 1.4.7 that I want to port forward port 22 to, but only allow connections from a single source (Internet side) IP address. Do the later version of Gargoyle support that via the GUI? And/or is there a way to do that via the CLI?
Any, and all, suggestions will be greatly appreciated!
			 
			
					
				Re: How to setup a port forward but for only one souce IP address?
				Posted: Mon Apr 13, 2020 7:29 pm
				by kcantrel
				In continual effort to try and figure this out myself, I found the firewall documentation on the OpenWRT site and it looks like I just need to add "option 'src_ip' '<IP>' " to the appropriate section in the /etc/config/firewall file and it should do the trick. And by "appropriate section" I mean the section that is created when I create the port forward rule from within Gargoyle. Is it okay to edit that file? Will it confuse Gargoyle? Will the change get lost if I make a change to any of the port forward rules?
			 
			
					
				Re: How to setup a port forward but for only one souce IP address?
				Posted: Mon Apr 13, 2020 8:06 pm
				by Lantis
				That is a really old version which I would not recommend for use anymore, especially on an internet facing device.
It is also very hard to offer advice as I don't know if the software worked the same back then. 
However, yes the OpenWrt documentation is correct. That is all you need to do (assuming it still worked the same). 
Gargoyle will still allow any local resource to access the port forward (NAT reflection). It won't limit that. 
Yes if you make any other GUI changes on the port forwarding page it will be overridden. Future versions have not made any changes in this regard.
			 
			
					
				Re: How to setup a port forward but for only one souce IP address?
				Posted: Mon Apr 13, 2020 11:08 pm
				by kcantrel
				So, other than upgrading to a more recent version, how would you recommend I implement this? Sounds like if I make the change to the /etc/config/firewall file, it will be overridden eventually (i.e. I make some other change within the GUI).
I noticed there is a /etc/firewall.user file that is run. Should I put 'uci' commands in there to make it more persistent? 
Regarding upgrading. Can I just upgrade to the latest? Or, do I need to upgrade to no more than 1 stable version at a time? I'm not worried about losing any existing configurations, but, needless to say, I don't want to brick my router.
Note that the idea is for this to NOT be "the" Internet facing router, there will be one in front of it, but that one (Google Fiber Network Box) doesn't provide any firewall rules that you can adjust. So, the Google Fiber will port forward to it, and then it will port forward, selectively, to the back end server.
Thanks for you help!
			 
			
					
				Re: How to setup a port forward but for only one souce IP address?
				Posted: Tue Apr 14, 2020 10:13 am
				by kcantrel
				@Lantis. Thanks for your help. I crossed my fingers and did a 'sysupgrade' to the latest OpenWRT and bang! I was running it. It supports specifying the source IP so I think I am good to go. Soooo long Gargoyle! 

 
			
					
				Re: How to setup a port forward but for only one souce IP address?
				Posted: Tue Apr 14, 2020 6:01 pm
				by Lantis
				No worries. 
Your options were to make the changes and then not touch it. 
Add something to firewall.user. 
Change the gargoyle code.
Switch to OpenWrt. 
As long as you're sorted 
