How to lock down Port forwards to a single external IP address

Hi,

I have setup port forwarding for an RDP port.
I’d like to know how I can lock down this port forward, to only be accessed from a single external IP address.

e.g.

1.1.1.1:3389 can only be accessed from 2.2.2.2.

I created the server, assigned the service for 3389 to be accessed on the main WAN interface.

I have tried setting up inbound rules within the firewall, to only allow access from 2.2.2.2:3389 to 192.168.0.1:3389, I then created a rule to disallow any other IP address trying to access 192.168.0.1:3389.

Could anyone please shed some light on this?

You need the port forwarding rule, but then limit access with a pair of inbound firewall rules. The first rule allows what you want to happen. The second rule blocks the rest of the world.

Rule #1: Allow Source = 2.2.2.2, destination port 3389, destination 1.1.1.1

Rule #2: Deny source=any, destination port 3389, destination 1.1.1.1.

I think what you are doing wrong is that 3389 is the destination port, not the source port.

Hi Don,

Thankyou for your assistance, does the destination IP address have to be the sites Public IP address or the servers LAN IP address?

Kind regards,

Russell Keavy

In this case, the source is the external client you are allowing into your network. You would use the public IP address of that external device.

The destination is the LAN address of your server. It became the destination for any inbound traffic using that port, when you wrote the port forwarding rule.

Hi Don,

I have tried using both the external IP and the LAN address of the server, I am still able to access the RDP remotely from external sources.

762×127 17 KB

Kind Regards,

Russell Keavy.

@infrastructure

You need to change the source port to “any” for the firewall rules. Source port will be always a dynamic port generated by the client device for NAT device.