Prevent access from internet router IP (not source IP)

Percentage · January 3, 2026, 9:03pm

Please use this template for troubleshooting questions.

My issue: I have an internal network of 192.168.2.x, my nginx is on .2.2. I have some websites that I do NOT want to be accessed from the internet. My internet router is on .2.1. How do I deny traffic coming through the router since the router address is not the source address?

How I encountered the problem:

Solutions I’ve tried: various allow / deny configurations.

Deployment environment: Latest nginx on debian 13.

liam · January 5, 2026, 2:26pm

You’re on the right track with the access module (allow/deny directives). This sort of thing should do it.

server {
    listen …;
    server_name private.example.org;

    allow 192.168.2.0/24;
    deny all;

    root …;
}

route443 · January 8, 2026, 2:13am

I’d additionally make sure that your inbound wan->lan port forwarding applies DNAT only and that SNAT/masquerade is not applied, otherwise, nginx will see your router’s IP as the source => allow rule will incorrectly match

Topic		Replies	Views
Can't Reach Allowed File when My User Agent is Blocked NGINX access , error-page , if	5	96	July 11, 2025
How to define/create a public IP and use it in NGINX? NGINX networking , ip	4	135	December 15, 2025
New ASUS router NGINX config , web-server , reverse-proxy	7	36	December 28, 2025
NGINX stream real IP client NGINX reverse-proxy , stream	2	108	October 1, 2025
What IP addresses are reserved for NGINX? NGINX networking , ip	4	158	October 1, 2025

Prevent access from internet router IP (not source IP)

Related topics