Hi guys,
I'm running merlin version 380.64_2 on my AC68U.
I've tried back and forth to block internet access for my dlink ipcam, but I want to allow UDP port 123 for NTP.
I just now got it to work, but as my knowledge of iptables is very limited I would like some more skilled eyes on it.
I have blocked internet access from the gui (network map -> clients -> the cam -> block internet access), and then I created this iptables line;
"iptables FORWARD -i br0 -m mac --mac-source <ip cam's mac> -p udp --dport 123 -j ACCEPT".
When I type iptables -S it shows;
"iptables FORWARD -i br0 -p udp -m mac --mac-source <ip cam's mac> -m udp --dport 123 -j ACCEPT"
So, almost the same, and based on my test it all works. I can't access the cam from the dlink app and the NTP sync works.
But, is it correct to allow UDP 123 in that way? Am I doing it wrong? I'm asking because I don't know exactly how it works.
The reason for MAC instead of IP is because the block internet access created this line in iptables;
"FORWARD -i br0 -m mac --mac-source <ip cam's mac> -j DROP"
I just want to point out that I tried adding the lines below to jffs/scripts/firewall-start, which I got from another thread here, but after syncing NTP time (coincidence?), the IP cam got internet access, so it didn't work..
"iptables FORWARD 1 -s <ip cam's ip> -o eth0 -p udp --dport 123 -j ACCEPT"
"iptables FORWARD 2 -s <ip cam's ip> -o eth0 -j DROP"
Thanks in advance.
Edit:
Ouch.. sorry.. right after I posted this, I noticed that I can't access the cam via my openvpn (TUN) server.. Now I have no clue how to solve this.
My network IP is 10.13.37.x and openvpn server is at 10.13.36.x. I want to block all internet access except UDP port 123 on 10.13.37.71.
I forgot to mention that on previous versions (380.62), I could block all TCP ports for that IP under Firewall -> Network services filter and it would just work. This doesn't work after upgrade (I even tried a factory reset)
I'm running merlin version 380.64_2 on my AC68U.
I've tried back and forth to block internet access for my dlink ipcam, but I want to allow UDP port 123 for NTP.
I just now got it to work, but as my knowledge of iptables is very limited I would like some more skilled eyes on it.
I have blocked internet access from the gui (network map -> clients -> the cam -> block internet access), and then I created this iptables line;
"iptables FORWARD -i br0 -m mac --mac-source <ip cam's mac> -p udp --dport 123 -j ACCEPT".
When I type iptables -S it shows;
"iptables FORWARD -i br0 -p udp -m mac --mac-source <ip cam's mac> -m udp --dport 123 -j ACCEPT"
So, almost the same, and based on my test it all works. I can't access the cam from the dlink app and the NTP sync works.
But, is it correct to allow UDP 123 in that way? Am I doing it wrong? I'm asking because I don't know exactly how it works.
The reason for MAC instead of IP is because the block internet access created this line in iptables;
"FORWARD -i br0 -m mac --mac-source <ip cam's mac> -j DROP"
I just want to point out that I tried adding the lines below to jffs/scripts/firewall-start, which I got from another thread here, but after syncing NTP time (coincidence?), the IP cam got internet access, so it didn't work..
"iptables FORWARD 1 -s <ip cam's ip> -o eth0 -p udp --dport 123 -j ACCEPT"
"iptables FORWARD 2 -s <ip cam's ip> -o eth0 -j DROP"
Thanks in advance.
Edit:
Ouch.. sorry.. right after I posted this, I noticed that I can't access the cam via my openvpn (TUN) server.. Now I have no clue how to solve this.
My network IP is 10.13.37.x and openvpn server is at 10.13.36.x. I want to block all internet access except UDP port 123 on 10.13.37.71.
I forgot to mention that on previous versions (380.62), I could block all TCP ports for that IP under Firewall -> Network services filter and it would just work. This doesn't work after upgrade (I even tried a factory reset)
Last edited:
