XII. Firewall/Security Features

Restrict access to Mail Server from particular IP addresses only

Products:
Vigor 2620Ln
Vigor 2760
Vigor 2762
Vigor 2765
Show all

Keywords:
allow ip
default data filter
email
firewall
Show all

This guide demonstrates how to:

  1. Configure a DrayTek router to make a server accessible from the Internet
  2. Configure IP Objects for remote addresses that will be allowed to access the server
  3. Set up the Firewall to limit access to this Port Forwarding with Firewall Rules

It will demonstrate how to configure these settings for a mail server but this can be applied to any Server type.

Setting up IP Objects to use with the Firewall makes management easier, if you need to modify or expand the list of allowed IP addresses in future. But if only a single IP address needs to be allowed through, you can skip step 2.

1. Port Forwarding

When the devices are behind the NAT(Router/firewall) they can't be reached by outside world unless they initiate the connection. But sometimes we need to connect to the devices like Web server, Mail server from Internet for the Application to work. This is achieved by port forwarding as described in the Figures below:

As shown in the image, we have a Mail server and port 25 is common port that a Mail server listens on for SMTP traffic. So we opened Port 25 for the Private IP address of the the Mail Server.

Open Port Mail server

2. Setting up IP Objects

1. First we create the IP objects for the IP addresses we want to allow to Access the Mail Server. We can create the IP obhect by going to [Objects Setting] > [IP Object] and clicking on a new Index number. We can create IP object for single, range or whole subnet as shown in the image below:

IP Object Single IP address

IP Object Range

IP Object Subnet

This is the image with all the IP objects created:

IP Object open port

2. Then we put those IP addresses in IP group called Allow and enter the IP objects as shown below:

Ip Group open port

The next step will be to create the Firewall rules, to allow the IP Group we created above to Access the mail server.

3. Firewall rules to restrict Access

Opening the port opens the whole Internet devices for that particular Private IP address which is a Server in our case and sometimes that is not desirable as it has a security risk. To make it more secure, we can restrict the Access to port forwarding using firewall rules so that we only allow certain IP addresses the Access to that server.

This will use two filter rules, one to allow the remote IP access, another after that to block the Access to the Mail server on port 25 to from any other IP address.

To create Firewall Filter rules, go to [Firewall] > [Filter Setup] and go into 2. Default Data Filter, which is by default the location the filter rules are initially processed. Select the first un-used rule to create the Allow Rule:

Allow Rule

This is the allow rule, which allows the specified remote server to access your mail server. To set the Source IP, click Edit for the Source IP, select IP Group and select the IP Group to be allowed through.

Allow rule mail server

Click Edit for the Service Type to modify the Service Type setting. This example shows how to set the Service Type for SMTP traffic on TCP port 25.

In the Service type, we haven't specified the Source port as the Source port can be any port. In the destinaton port we selected Port 25 as our Mail server listens on this Port. We can also open other ports depending on the Service which needs connecting like port 443 for https and port 80 for https.

Service type firewall

Click OK to save and apply that, then in the 2. Default Data Filter, edit the next available filter rule:

Block Rule

This is the block rule, which stops all other remote IP addresses from accessing your server:

Block rule mail server

 Firewall rule mail server

Now the Access to the Mail Server is restricted to only the IP addresses in the Allow Group.

We can enable Syslog under firewall>>filter setup>>Default Data filter for the allowed and the blocked port forwarding rule to log the successful and unsuccessful attempts to login to the Server. Please see the below image:

Check rule Firewall block

Troubleshooting

1. To check if the Firewall rule is working or not

Click on Firewall>>Diagnose,select the direction to be from  WAN. Source IP Address would be the IP address you need to check for the rule for and the destination IP address would be the Private IP address of the Mail server. Please see the image below:

firewall diagnose

2. Check if you have selected 'All' in the source Port under Firewall rule as traffic can originate from any port from the Source device on Internet.


How do you rate this article?

1 1 1 1 1 1 1 1 1 1