NAT packets

I use ICS to share internets with LAN, but I don’t want all computers from my subnet to be able to use this NAT, only a few allowed IPs. What rules do I need to create? Or is it even possible in Comodo? If not, please direct me to some lightweight NAT server, more configurable than ICS.

Did You Checked With This Topic https://forums.comodo.com/firewall_guides/blocking_internet_access_whilst_allowing_intranet_access-t30440.0.html

This topic is incorrect in my case. I have no access to computers I want to block.

When you installed CIS, it recognized your network upon reboot. One of the options was to allow other computers in this network to be able to access your computer. I am trusting you didn’t check this option.

If you did, from Firewall/Advanced/network Security Policy, Global Rules tab, remove ‘Allow all Incoming requests from this network.’
This will prevent anyone gaining access to your computer.

Now, to allow specific computers access: From this same screen, Add ‘Allow IP In From Source (IP address or range as the case may be - the other computers) Destination Single IP (your IP) Source Port Any Destination Port Any.’
Make sure this rule is above any ‘Block’ rules you may already have.
Click ‘OK’ to save this/these rules.

I hope this satisfies your requirements. :slight_smile:

If I remember correctly, Global Rules table is “default allow”, not “default block”.

Now, to allow specific computers access: From this same screen, Add 'Allow IP In From Source (IP address or range as the case may be - the other computers) Destination Single IP (your IP) Source Port Any Destination Port Any.'
Destination address is not my IP, I'm just a router.

This is what I finally have come up with:
Allow IP In From ‘subnet’ To ‘my internal ip’
Allow IP In From ‘allowed ips’ To Any
Block IP In From ‘subnet’ To Any
Not perfect but seems to work.

Still confused about direction. ‘In’ and ‘Out’ are not really applicable here, because these packets are both in and out. But ‘In’ rule works, ‘Out’ don’t. Then I set up port mapping and got the opposite: ‘Out’ rule works, ‘In’ don’t. I even remember I had a rule where ‘In’ and ‘Out’ didn’t work, but ‘In/Out’ did. Where is logic?

In and Out refers to the originating direction. e.g. In is any communications originating outside your computer, Out is any communications originating from your computer. Everything else are replies to the originating message.