Let’s imagine your home network not as a mysterious tangle, but as a simple, layered experiment. You’ve got a main router—call its WAN IP 203.0.113.7. Inside are two subnets: 192.168.1.0/24 for regular devices, and 192.168.10.0/24 for your NAS, let’s say at 192.168.10.5. You want friends (or yourself!) to access your NAS over the Internet—but only from trusted places. If a stranger shows up, you want them politely shown the door. That’s firewalling, made honest and direct.
The trick is port forwarding plus filtering. Your gateway router needs to allow certain kinds of traffic inside—say, HTTP (port 80), HTTPS (443), and DSM for Synology (5001)—but only if the packets come from friendly subnets like 198.51.100.0/24 or 203.0.112.0/24. After all, an open port is like an open invitation.
To do this, you build a list of “good” guests. In command terms, here’s how that looks for a router’s filter rules:
add chain=forward src-address=198.51.100.0/24 dst-port=80,443,5001 protocol=tcp in-interface=WAN action=accept comment="Allow trusted/home office" add chain=forward src-address=203.0.112.0/24 dst-port=80,443,5001 protocol=tcp in-interface=WAN action=accept comment="Allow remote location" add chain=forward in-interface=WAN protocol=tcp dst-port=80,443,5001 action=drop comment="Block everyone else"
This says: let through traffic on those three ports—but only if it comes from one of your trusted blocks. Anything else, bounce it out. The order matters—a bit like checking a guest list before closing the door.
If traffic flows through a relay (like a Raspberry Pi at 192.168.1.21), the same logic applies. On the Pi, you use iptables to sketch out the rules:
sudo iptables -A INPUT -p tcp --dport 80 -s 198.51.100.0/24 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 443 -s 198.51.100.0/24 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 5001 -s 198.51.100.0/24 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 80 -s 203.0.112.0/24 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 443 -s 203.0.112.0/24 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 5001 -s 203.0.112.0/24 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 80 -j DROP sudo iptables -A INPUT -p tcp --dport 443 -j DROP sudo iptables -A INPUT -p tcp --dport 5001 -j DROP
Notice we accept before we drop; the sequence is as fundamental here as in quantum mechanics—if you measure first, everything changes.
Also, if you’re using NAT to forward packets, always check which IP your relay “sees.” With standard destination NAT, the source IP is preserved, so your Pi’s source filtering works. If you use source NAT or “masquerade” on the router, the relay only sees the router’s IP, and you have to trust your router to do the filtering.
Test your setup by connecting (and failing!) from outside the trusted blocks. If things go wrong, flush the rules (iptables -F) and build them up again stepwise, confirming at every stage that the right packets pass and the wrong ones disappear without a trace.
What have you done? You’ve made a system that behaves just like Feynman’s ideal lab setup—you know exactly who gets through, why, and how. Instead of noisy complexity, you’ve crafted a simple, logical experiment, with results you can measure and trust.
Written with the help of AI, based on real problem solving situation, reviewed by me, DL.
