Help Please..Need assistance stopping outbound connections!

[CooCooCaChoo]

Second sentence screams hacked. If you don't ever visit sites based in China, you could setup iptables to block the entire country see if that will stop the cams from calling home.

 

[Xentrk]

I forgot an important point: This has to be at the top line of firewall-start:

#!/bin/sh

This is a requirement for any file that is a linux shell script!

You need an SSH client on your PC, such as MobaXterm or Putty. You will need to enter the ip address of your router, userid and password. Then, when you are at a command line, issue "mkdir /jffs/scripts" to make the directory. Then "cd /jffs/scripts" to navigate to the directory. Once in the directory, you can issue the command

nano firewall-start

Or, do the echo commands to pipe the lines to the file. The iptables command should work over VPN connection.

When you are done editing the file. You can run it by issuing this command at the command line if you are in the /jffs/scripts directory:

./firewall-start

Then, to see if the rules are in effect, type:

iptables -L | grep  DROP

 

[Marc66]

I would assign the cameras a static IP and set their default gateway to an inexistant address. This would prevent any access outside the LAN


Sent from my iPhone using Tapatalk

 

[eddiez]

Some IP cams are P2P which means videostreams can only be viewed through the manufacturers P2P (cloud) service.

 

[Xentrk]

I wonder if the OP can use the firewall menu - network services filter tab to block the camera from the WAN. It looks like it should work. Need to keep it simple for him since he has no experience with SSH and Linux command line. I can try and test with it tomorrow or Monday.

 

[Fitz Mutch]

My firewall is configured to restrict the IP cameras in the following ways:

• Block outbound Internet access.
  
• Allow outbound access to VPN interface only.
  
• Block all DNS requests.
  
• Allow NTP request to the router only.

 

[Techno]

I would assign the cameras a static IP and set their default gateway to an inexistant address. This would prevent any access outside the lan

Yep been there done that...all well and good until you try to connect back via vpn...no go.

What I did do however is leave default gateway as legit of what it really is and I changed DNS to non existent addresses like 1.0.0.1 and it looks like on the logs it not in the "established" category but instead it's going under "sys_sent" which leads me to believe it's not connecting.

 

[Techno]

Some IP cams are P2P which means videostreams can only be viewed through the manufacturers P2P (cloud) service.

I understand what your saying but I have turned off all P2P services as well as UPnP, bonjour and any thing else you can think of on the cam. I do not forward any ports and use vpn to connect into my network from outbound to be as safe as possible.

Sucks that you do everything you can to block incoming connections but the cam can still get out of your network and connect to a China ip for example. Thus why I was curious about blocking via FW rules.

 

[Techno]

I wonder if the OP can use the firewall menu - network services filter tab to block the camera from the WAN. It looks like it should work. Need to keep it simple for him since he has no experience with SSH and Linux command line. I can try and test with it tomorrow or Monday.

I tried to go to network map and locate ip and select the "block intenet access" or whatever it's called. It seemed to work as the next day the logs were clear....however...it blocks your connection to the cam when u vpn back in...and I can't have that because that is my primary means of viewing my cams...

 

[Techno]

My firewall is configured to restrict the IP cameras in the following ways:

• Block outbound Internet access.
  
• Allow outbound access to VPN interface only.
  
• Block all DNS requests.
  
• Allow NTP request to the router only.

Thanks for the info...anyway you can elaborate on your specific fw settings that you have in place that handles all this for you?

 

[Xentrk]

Thanks for the info...anyway you can elaborate on your specific fw settings that you have in place that handles all this for you?

The method I outlined with the iptables command should work as I use it on a router installed at a children's home. Devices can connect to the router LAN and they get a valid IP address. They just can't get out to the WAN. There are some articles on the web about ssh into asus router. You could also do a telnet session instead. dd-wrt does have a feature through the web GUI where you can enter firewall rules. But with asus, you will need telnet or ssh sessions to do this.

Edit: you can create a free opendns.com account and use it as your DNS servers to filter Web sites, blacklist and white list sites. But not sure if you can use IP address. I use the service on two sites bit only black list bu URL website name.

 

[Fitz Mutch]

anyway you can elaborate?

If you're going to be blocking the Internet for an IP camera, you probably want an local NTP server, so the timestamp in the video stream is accurate. Also, you'll maybe want to give computers on the local network and/or VPN, access to the IP camera. This is not what I have in place, it's just an example. Think about it.

/jffs/scripts/firewall-start

#!/bin/sh
###############################################################################
# lockdown the device (192.168.1.222), but allow access from VPN only
/usr/sbin/iptables -I FORWARD -i br0 -s 192.168.1.222 -j DROP
/usr/sbin/iptables -I FORWARD -i br0 -o tun21 -s 192.168.1.222 -m state --state RELATED,ESTABLISHED -j ACCEPT
/usr/sbin/iptables -I INPUT -i br0 -s 192.168.1.222 -j DROP
/usr/sbin/iptables -I INPUT -i br0 -s 192.168.1.222 -p udp -m multiport --dports 53,67,68,123  -j ACCEPT
/usr/sbin/iptables -t nat -I PREROUTING -i br0 -s 192.168.1.222 -p udp -m multiport --dports 53,123 -j DNAT --to-destination 192.168.1.1
###############################################################################

If your IP camera allows you to specify an NTP server, set it to your router's IP address. This makes clock synchronization for the camera more reliable. Otherwise, each time the camera synchronizes its clock, it will make a DNS lookup for some NTP server name, before being redirected to your router's NTP server. AND, if the DNS lookup fails, the camera won't be able to sync its clock.

Here's how to start the NTP server on the router, included in recent version of Busybox. It's also possible to intercept Internet time requests for all computer on your local network and direct to your local NTP server.

/jffs/scripts/wan-start

#!/bin/sh
###############################################################################
# wait for system clock to be synchronized, then start NTP server
while [ "$(nvram get ntp_ready)" != "1" ]; do
  /usr/bin/logger -t $(/usr/bin/basename $0) "custom script waiting for system clock to be synchronized [$$]"
  /bin/sleep 1
done
[ "$(nvram get ntp_ready)" == "1" ] && [ -z "$(/bin/pidof ntpd)" ] && /usr/sbin/ntpd -I br0 -dd
###############################################################################

 

[redhat27]

@Fitz Mutch Wouldn't the wan-start be on an infinite wait during router boot due to the dnsmasq.conf.add entry?

 

[Techno]

The method I outlined with the iptables command should work as I use it on a router installed at a children's home. Devices can connect to the router LAN and they get a valid IP address. They just can't get out to the WAN. There are some articles on the web about ssh into asus router. You could also do a telnet session instead. dd-wrt does have a feature through the web GUI where you can enter firewall rules. But with asus, you will need telnet or ssh sessions to do this.

Edit: you can create a free opendns.com account and use it as your DNS servers to filter Web sites, blacklist and white list sites. But not sure if you can use IP address. I use the service on two sites bit only black list bu URL website name.

Xentrk-

I read on another post that forum user @ColinTaylor suggested you can use an application called WinSCP to log onto router and create a new file in the /jffs/scripts directory due to someone's inexperienced skill set in Linux command line environment: https://www.snbforums.com/threads/ip-tables-confusion.30373/

So in my case I may be able to perform the following steps:

1. Enable SSH access to the router
2. Use WinSCP to log onto the router and navigate to the /jffs/scripts directory
3. Right click in that directory and choose New File
4. Create a new file called firewall-start with the following lines:

#!/bin/sh

iptables -I FORWARD -s 192.168.5.189 -j DROP

1. Am I missing any steps?
2. Is this still going to allow VPN connection to view IP cam with me dropping outbound?
3. If for some reason it does not work as intended..how do you delete what you just created?

 

[Martineau]

#!/bin/sh

iptables -I FORWARD -s 192.168.5.189 -j DROP

2. Is this still going to allow VPN connection to view IP cam with me dropping outbound?

No, you will need to use a rule like

iptables -I FORWARD -s 192.168.5.189  -i br0 ! -o tun2+ -j DROP

So any camera traffic that needs to go back out through either of the VPN servers (because you connected inbound to one of the servers) will be ALLOWED.

However, this rule will BLOCK everything outbound via the WAN, including the NTP port, so if you want your cameras to get their time from the internet you will need another rule:

iptables -I FORWARD -i br0 -o $(nvram get wan0_ifname) -p udp -m udp --dport 123 -j ACCEPT

 

[Fitz Mutch]

@Fitz Mutch Wouldn't the wan-start be on an infinite wait during router boot due to the dnsmasq.conf.add entry?

Thank you, I fixed it. I was copying straight from my router, sorry. That piece you cannot do because it requires one to set the router clock in a non-standard way. Such as: (1) have the router get its time from a computer on your local network, or (2) special hardware tricks to set the router's clock.

You cannot do this.
/jffs/configs/dnsmasq.conf.add

address=/.pool.ntp.org/ntp.ubuntu.com/.timefreq.bldrdoc.gov/time.nist.gov/time-nw.nist.gov/time-a.nist.gov/time-b.nist.gov/time-c.nist.gov/time-d.nist.gov/time.windows.com/tick.usno.navy.mil/tock.usno.navy.mil/ntp.usno.navy.mil/ntp2.usno.navy.mil/tick.usnogps.navy.mil/tock.usnogps.navy.mil/ntp.rokutime.com/192.168.1.1

 

[Metro]

So I'd really like to set up some firewall rules for my six cameras to block all outbound access (though leave them open and accessible to my VPN connection), but after reading this thread and trying to piece together the separate conversations, it's still a bit unclear the order and steps.

Can anyone link to a guide for the Asus routers (I have the AC-88U) for building firewall rules from scratch?

 

[Martineau]

Can anyone link to a guide for the Asus routers (I have the AC-88U) for building firewall rules from scratch?

The Wiki https://github.com/RMerl/asuswrt-merlin/wiki has loads of info e.g. https://github.com/RMerl/asuswrt-merlin/wiki/Iptables-tips

So I'd really like to set up some firewall rules for my six cameras to block all outbound access (though leave them open and accessible to my VPN connection)

You must initially set up SSH access to the router via the GUI, then start a session using PuTTY (although XShell is highly recommended) then if you can cut'n'paste into an editor then you should be good to go.

So this post by RMerlin simply expands on the instruction on the Wiki for creating a sample script:

https://www.snbforums.com/threads/help-with-custom-scripts.34950/#post-283099

If you are using Windows then WinSCP is (in my view) an essential tool for expanding the capabilties of the router using scripts. You can move around the router file system, viewing, editing, etc. and even create backup copies of your scripts using drag'n'drop between a windows folder and the router.
You can even execute/test your scripts from within WinSCP by simply right clicking on the script in the GUI.

It has probably taken me longer to type this than it will take for you to actually set up SSH and create your first 'Hello World' test script on the router!

Anyway, I wrote a script for my family/colleagues who also have the same security concerns. So as shown in the script help, you simply only need to create/maintain a text file containing one line defining the I/P addresses of your cameras...

e.g. say you have 13 cameras to be blocked from accessing the Internet but still remain accessible for remote viewing over the VPN.

/jffs/configs/IPGroups

CAMERAS  192.168.1.196,  192.168.1.15-192.168.1.20,  192.168.1.50:192.168.1.55

/jffs/scripts/IPCamsBlock.sh

EDIT: 08/01/2018 v1.04 Added 'logntp' directive and use separate custom iptables chain
EDIT: 01/02/2018 v1.05 Added 'wanip/usewanip' directives for external NVR
EDIT: 09/06/2018 v1.06 Added 'mac' directive and filter LAN NTP requests
EDIT: --/--/2018 v1.07 Allow 'relaxed' .csv format for import
EDIT: 11/09/2018 v1.08 Added 'mail=' directive
EDIT: 12/09/2018 v1.09 Added 'logscan' directive
EDIT:--/--/2018 v1.10 Allow multiple 'wanip=xxx.xxx.xxx.xxx[….]'
EDIT:03/11/2018 v1.11 Fix possible globbing issue and streamline code.
EDIT:17/11/2018 v1.12 Fix detect 'other2wan' rule (Dual-WAN environments)

https://pastebin.com/KUwcbMC4

Hosted on pastebin as life is too short to tediously identify why posting the script in-line triggers the forum blocker


P.S. It is considered good practice to keep custom scripts separate and call them from the system scripts as necessary rather than copy all the code in say an existing 'firewall-start' script!
So you would simply add the call to run '/jffs/scripts/IPCamsBlock.sh' from 'firewall-start' by adding the line

/jffs/scripts/IPCamsBlock.sh init

Then if anything goes wrong, you can just disable 'IPCamsBlock.sh' rather than inadvertently breaking 'firewall-start'

 

[Techno]

No, you will need to use a rule like

iptables -I FORWARD -s 192.168.5.189  -i br0 ! -o tun2+ -j DROP

So any camera traffic that needs to go back out through either of the VPN servers (because you connected inbound to one of the servers) will be ALLOWED.

However, this rule will BLOCK everything outbound via the WAN, including the NTP port, so if you want your cameras to get their time from the internet you will need another rule:

iptables -I FORWARD -i br0 -o $(nvram get wan0_ifname) -p udp -m udp --dport 123 -j ACCEPT

Martineau-

Thanks for responding and the assistance with connecting back via VPN. It makes sense that VPN connection would be dropped with that FW rule as its not letting any camera traffic get outbound. I do have an internal NVR set up that my cameras are configured on so I am assuming they would get their time from that machine versus going out on the net. I may input that rule for the NTP outbound though in case I need it for the future.

 

[Techno]

You must initially set up SSH access to the router via the GUI, then start a session using PuTTY (although XShell is highly recommended) then if you can cut'n'paste into an editor then you should be good to go.

If you are using Windows then WinSCP is (in my view) an essential tool for expanding the capabilties of the router using scripts. You can move around the router file system, viewing, editing, etc. and even create backup copies of your scripts using drag'n'drop between a windows folder and the router.
You can even execute/test your scripts from within WinSCP by simply right clicking on the script in the GUI.

Your post is very detailed and very much appreciated....I must admit it's my fault due to being a beginner that I am not understanding what specific app I will need to use to do all this...I have heard people post a lot...PuTTY, MobaXterm, WinSCP, XShell....I thought a good all around app would be the WinSCP because you can do different things within the router system like create files, folders but not sure if it's considered an "editor" so that I can paste in a script?

Anyway, I wrote a script for my family/colleagues who also have the same security concerns. So as shown in the script help, you simply only need to create/maintain a text file containing one line defining the I/P addresses of your cameras...

e.g. say you have 13 cameras to be blocked from accessing the Internet but still remain accessible for remote viewing over the VPN.

/jffs/configs/IPGroups

CAMERAS  192.168.1.196,  192.168.1.15-192.168.1.20,  192.168.1.50:192.168.1.55

/jffs/scripts/IPCamBlock.sh

So I would create a folder in the configs system area called IPGroups and then create a script called IPCamBlock.sh? Sorry for the confusing questions but I must admit...I am a little confused now that we are not creating the script in the standard firewall-start area.

#!/bin/sh
#=====================================================================================================================
#
# Block unsolicited outbound traffic from the I/P cameras, except for NTP, but still allow viewing via the VPN Servers
#
# IPCamsBlock [help|-h] | [init] | [status]
#
# IPCamsBlock init
# Create the blocking rules (usually called from /jffs/scripts/firewall-start)
# (Assumes /jffs/configs/IPGroups exists with valid 'CAMERAS' entry - Uppercase text!)
# e.g. CAMERAS 10.88.8.10,10.88.8.15-10.88.8.20,10.88.8.50:10.88.8.55
# IPCamsBlock
# Show status of the rules in name form e.g. CAM-L-F1812
# IPCamsBlock status
# Show status of the rules in I/P form e.g. 10.88.8.10
#
#
# /jffs/scripts/firewall-start
# /jffs/scripts/IPCamsBlock.sh init

#*************************************FUNCTIONS***************************************************************

That is a very long script....so someone could just copy and paste that entire thing into the system? I would assume some things would need to be changed within the script like IP settings, changing or removing the references to your name, etc?

P.S. It is considered good practice to keep custom scripts separate and call them from the system scripts as necessary rather than copy all the code in say an existing 'firewall-start' script!
So you would simply add the call to run '/jffs/scripts/IPCamBlock.sh' from 'firewall-start' by adding the line

/jffs/scripts/IPCamsBlock.sh init

Then if anything goes wrong, you can just disable 'IPCamBlock.sh' rather than inadvertently breaking 'firewall-start'.

This makes sense to create a sub-folder for the "block" instead of keeping it in the designated "firewall-start" area. I am still trying to grasp how exactly to get all this done....trying not to get defeated here...I know I can learn this. Again sorry for all the rookie questions....[/QUOTE]