Port Forward

 

Port Forward settings work in combination with tunnelled connections further described in the following topics: Remote Desktop Connection (RDP/SSH) and Create new Tunnelled Connection and allow you to further limit who can create tunnelled connections and which ports can be used. Topic is divided into two parts, in the first one the rules and notations are explained and in the second part some practical examples are given. Please proceed to the part relevant for you:

Port Forward - Settings

Important: When creating a tunnel one side of ISL Light session (usually the operator's side) initializes it and the tunnel is made from the initializing computer to the remote computer. The Allowed listen filter rules are applied on the side that initialized the tunnel and the Allowed connect filter rules are applied on the side that receives the tunnel.  For example, if you specify the Allowed connect filter rules on your computer and you create a tunnel from your computer to another machine, the specified rules will have no effect. Rules for the remote side can be placed into the Allowed listen filter as seen below, using allow/deny_remote_ip and allow/deny_remote_port.

The following settings are available to you in the Port Forward section:

  • Allowed connect filter - IP and port filters defined here apply to connections being made from this computer onward (either to other computers in the local network or to the computer itself trough localhost address). Settings defined here are applied when a tunnel originates from another machine and is made to this computer. Trough this settings you can control whether this computer can serve as a jumpbox, as described here: Create an SSH session using a jumpbox.
  • Allowed listen filter - IP and port filters defined here apply to connections being made to your local machine from your own local network (including your own machine connecting to itself trough localhost). Settings defined here are applied when a tunnel originates from this machine. This kind of connections are made if your local computer serves as a jumpbox as described here: Create a custom tunnel.
  • Rdp connection file - Specify the path to a .rdp connection configuration file that will be applied to the tunnelled session. 
  • Default rdp schema - Command which is executed when RDP tunnel is created (Create a RDP Session) and launches a RDP client that uses the tunnel. The command should only be changed if you changed the RDP configuration and the executable is no longer at its default location. 
  • Default ssh schema - Command which is executed when SSH tunnel is created (Create an SSH Session) and launches an SSH client that uses the tunnel. The command should only be changed if you changed the SSH configuration and the executable is no longer at its default location.


Port forward - Filter Rules

Important: Filter rules are being applied from left to right for any new connection until one rule matches (e.g. firewall rules behave in the same way).

For security reasons it is advisable to place the deny_all rule as the last rule. In such configuration you will have to explicitly specify which IPs and which ports can be used and all other connections will be allowed. (You are whitelisting IPs and ports). 

Alternative but less secure version is to place the allow_all rule as the last rule and explicitly deny specific IPs and ports. (You are blacklisting IPs and ports).

Important: deny_all is implicitly placed at the end of any custom filter rule for security reasons. Placing allow_all option at the end overrides it.

Allowed connect filter

You can enter the following settings for Allowed connect filter:

  • deny_ip / allow_ip - deny or allow connections from your computer, serving as a jumpbox, to other computers in your network, based on IP addresses.
    • Example: Only allow tunnel to a specific IP (172.17.118.73) and a 172.16.1.1/255.255.0.0 subnet. 
      • allow_ip 172.17.118.73; allow_ip 172.16.1.1/255.255.0.0; deny_all;
  • deny_port / allow_port- deny or allow connections from your computer serving as a jumpbox to other computers in your network on specific ports.
    • Example: Deny all tunnelled connections except on port 22
      • allow_port 22; deny_all;
  • deny_all / allow_all - deny or allow all connections being made from computer.


Allowed listen filter

You can enter the following settings for Allowed listen filter:

  • deny_ip / allow_ip - deny or allow connections to your computer based on IP addresses. 
    • Example:Only allow computers from 172.16.1.1/255.255.0.0 subnet to connect to your computer and use the tunnel. 
      • allow_ip 172.17.118.73; allow_ip 172.16.1.1/255.255.0.0; deny_all;
  • deny_port / allow_port - deny or allow connections to your computer on specified ports. 
    • Example:Deny all connections to your machine except on port 22.
      • allow_port 22; deny_all;
  • deny_remote_ip / allow_remote_ip - prevent the tunnel being made to specific IP addresses inside the network of the remote computer.
    • Example: Allow SSH tunnel to a single specific computer inside the network of the remote computer
      • allow_remote_ip 172.16.1.17; allow_remote_port 22; deny_all;
    • Note: deny_remote_ip entered in the Allowed listen filter and deny_ip entered in the Allowed connect filter perform a similar function - prevent the connection being made to a specific IP in the network of the remote computer. However deny_remote_ip is evaluated when tunnel is created and deny_ip is evaluated once a connection is made to the tunnel. This means that if you use deny_remote_ip and try to create a tunnel to a banned IP the tunnel will not be created at all, however if you use the deny_ip option the tunnel is created but the connection is refused.
  • deny_remote_port / allow_remote_port -  prevent the tunnel being made to devices inside the network of the remote computer on specific ports.
    • Example: Allow SSH tunnel to a single specific computer inside the network of the remote computer
      • allow_remote_ip 172.16.1.17; allow_remote_port 22; deny_all;
    • Note: deny_remote_port entered in the Allowed listen filter and deny_port entered in the Allowed connect filter perform a similar function - prevent the connection being made to a specific port in the network of the remote computer. However deny_remote_port is evaluated when tunnel is created and deny_port is evaluated once a connection is made to the tunnel. This means that if you use deny_remote_port and try to create a tunnel to a banned port the tunnel will not be created at all, however if you use the deny_port option the tunnel is created but the connection is refused.
  • deny_all / allow_all - deny or allow all connections being made to your computer.


Port Forward - Examples

A few configuration examples are provided bellow, please refer to the one most relevant to your situation:


Allow SSH connection only from your computer to remote computer (1:1 connection, neither computer serves as jumbox).

Allowed connect filter: (Has no effect if tunnel is initiated from your machine)

deny_all;

Allowed listen filter:

allow_remote_port 22; deny_all;


Allow SSH and RDP connection only from your computer to remote computer (1:1 connection, neither computer serves as jumbox).

Allowed connect filter: (Has no effect if tunnel is initiated from your machine)

deny_all;

Allowed listen filter:

allow_remote_port 22; allow_remote_port 3389; deny_all;
Tags: settings, port forward, filter rules, examples

Was this article helpful?