Menu
What's new
By:
Filters Better Search

Help Please..Need assistance stopping outbound connections!

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

T

Techno

Occasional Visitor
As the title of the thread states I need assistance with adding FW rules to my N66U to try and alleviate outbound connections from my IP cams. I logged onto my router web interface today and went to the WAN tab and looked up "Active Connections" and notice two of my ip cams are connecting to a China ip.

My firmware is Merlin 380.64_2. I do not have any open ports and have turned off all connections on both router (UPnP) and the individual cams (UPnP, P2P, Bonjour, etc) and even use OpenVPN but this does not stop them from making outbound connections. I have some networking experience but kind of a rookie at adding scripts and stuff and especially doing FW rules.

Any assistance would be greatly appreciated.
 

Attachments

  • Connections.JPG
    Connections.JPG
    21.2 KB · Views: 985
Outbound connections should not be an issue (maybe the cams are checking for firmware updates?) More concerning would be inbound connections to your cams. You should have a strong password for your cams and use the router firewall to block unwanted connections
 
redhat27 said:
Outbound connections should not be an issue (maybe the cams are checking for firmware updates?) More concerning would be inbound connections to your cams. You should have a strong password for your cams and use the router firewall to block unwanted connections
Click to expand...

I've read that outbound connections could also be harmful as well. I shouldn't have any coo ections inbound due to UPNP turned off and no port forwarding (I use built in vpn) so FW should be taking care of that side of things.

I do change the default password on all my cams.
 
There used to be a bug that stopped Network Services Filter from working, I suggest you try it.

But before you do that, can't you just go to the Network Map, click on the camera and select "block internet access"?
 
ColinTaylor said:
There used to be a bug that stopped Network Services Filter from working, I suggest you try it.

But before you do that, can't you just go to the Network Map, click on the camera and select "block internet access"?
Click to expand...

Sorry for me being an idiot but I have not even tried that...I will try that now that you mentioned it.

Anyway for me to tell that it's actually working? Do I just keep looking at the active connections log over the next few days to make sure I don't see the cams ip address making an outbound connection or is there another fool proof way?

Editing this last post because I blocked Internet access under the network map as you stated (the slide bar is now set to on) but the ip is still showing connected under active connections even after refreshing several times.
 
Last edited:
I suppose active connections will not be killed when you add a new rule. Try turning the cam (or router) off and on again to kill the active session and see if it is able to create a new connection (should not be possible)

Verstuurd vanaf mijn A0001 met Tapatalk
 
I know of others who cameras are calling home base in china. Including Baidu.com which is one bad site that attempts to take over your PC.

Assign your cameras a static IP address. if it is 192.168.2.199 for example, issue the command:

iptables -I FORWARD -s 192.168.2.199 -j DROP

This will drop traffic to the WAN. You can put this in /jffs/scripts/firewall-start file.

Another way is to create a /jffs/configs folder, then create a file called dnsmasq.conf.add and add an entry like:

server=/googleadservices.com/127.0.0.1

The 127.0.0.1 is the loopback address to your router. So the packet will get dropped there.

See https://github.com/RMerl/asuswrt-merlin/wiki/Custom-config-files to learn more about dnsmasq.conf.add

EDIT:
Another way is to install AB-Solution and add the URL to the block list. If you have a large enough USB drive, you can create one partition for entware and another for absolution using these instructions:

http://www.algissalys.com/how-to/format-and-partition-usb-asuswrt-routers

I had a bunch of 1GB and 2GB vendor swag thumb drives left over from my IT career. I used one for entware and one for absolution and connected them to a USB 2.0 hub attached to my router.
 
Last edited:
HeMaN said:
I suppose active connections will not be killed when you add a new rule. Try turning the cam (or router) off and on again to kill the active session and see if it is able to create a new connection (should not be possible)
Click to expand...

I looked in my "active connections" log this morning and I do not see the camera making a connection outbound any longer. Maybe sometime overnight the connection finally got dropped...not sure. I still am not feeling confident this is a "long term" solution. I feel like I need to put in a permanent rule to block ALL outbound connections from several of my cams...I have a lot!
 
Xentrk said:
I know of others who cameras are calling home base in china. Including Baidu.com which is one bad site that attempts to take over your PC.

Assign your cameras a static IP address. if it is 192.168.2.199 for example, issue the command:

iptables -I FORWARD -s 192.168.2.199 -j DROP

This will drop traffic to the WAN. You can put this in /jffs/scripts/firewall-start file.

Another way is to create a /jffs/configs folder, then create a file called dnsmasq.conf.add and add an entry like:

server=/googleadservices.com/127.0.0.1

The 127.0.0.1 is the loopback address to your router. So the packet will get dropped there.

See https://github.com/RMerl/asuswrt-merlin/wiki/Custom-config-files to learn more about dnsmasq.conf.add

Another way is to install AB-Solution and add the URL to the block list. For this, you will need two usb drives formatted as ext2, ext3 or ext4. One is for entware and the other for absolution.
Click to expand...

Thanks for your post...really appreciate it. In reference to your comment about cams calling home to china....yeah that's what I am afraid of which is why I really want to rectify this situation. All my cams are assigned static IP's out of my dhcp scope so I do not have to worry about overlap.

I really would like to "learn" how to input a FW rule in the iptable but not really sure how. I've been looking over several forums posts and even read the wiki but I'm still a little unsure. So far what I have learned is you have to either telnet or SSH into your router. But I assume you have to turn the telnet functionality on first? And also you have to turn on the ability to make changes to the /jiffs/scripts area I believe?

From there it really starts to get muddy as far as what command I start with first in order to input a rule. Also in reference to the rule you posted...the other thread I was reading listed the following rule which is similar to yours but varies just a bit: iptables -I FORWARD 2 -s 10.100.1.16 -o eth0 -j DROP

Not sure about the number after the FORWARD command and also they listed eth0 which is the WAN connection out I believe. I also need this rule to take care of both tcp and udp connections and not sure if I have multiple IP addresses (due to multiple cams) can I do some sort of range or do you have to do each individual cam address?
 
Techno said:
Thanks for your post...really appreciate it. In reference to your comment about cams calling home to china....yeah that's what I am afraid of which is why I really want to rectify this situation. All my cams are assigned static IP's out of my dhcp scope so I do not have to worry about overlap.

I really would like to "learn" how to input a FW rule in the iptable but not really sure how. I've been looking over several forums posts and even read the wiki but I'm still a little unsure. So far what I have learned is you have to either telnet or SSH into your router. But I assume you have to turn the telnet functionality on first? And also you have to turn on the ability to make changes to the /jiffs/scripts area I believe?

From there it really starts to get muddy as far as what command I start with first in order to input a rule. Also in reference to the rule you posted...the other thread I was reading listed the following rule which is similar to yours but varies just a bit: iptables -I FORWARD 2 -s 10.100.1.16 -o eth0 -j DROP

Not sure about the number after the FORWARD command and also they listed eth0 which is the WAN connection out I believe. I also need this rule to take care of both tcp and udp connections and not sure if I have multiple IP addresses (due to multiple cams) can I do some sort of range or do you have to do each individual cam address?
Click to expand...

At a minimum, you need to enable SSH session on the web gui in order to access the linux command line. In the gui, Go to Administration, Select the System Tab. Go to SSH Deamon. Set enable SSH to LAN. If you also select WAN, you open up your router to the web. Don't do it. Here is how you should set it up:
upload_2017-3-17_21-0-2.png


While you are at it enable JFFS. Set enable Enable JFFS custom scripts and configs to Yes. Set Format JFFS partition at next boot to Yes. Then reboot. This will create a directory called jffs on the root level.

Then, use a ssh client program like Putty to access the command line. I use MobaXterm. It is free. There is built in editor called Nano you can use to add the line to firewall-start file. Before doing this though, you can just enter the iptables command at the command line and it will persist as long as you don't reboot the router.

From there, you can create a subdirectory called scripts.

mkdir /jffs/scripts
cd /jffs/scripts

This is where the firewall-start file needs to reside. You can use the Nano editor to add the iptables command to the file. Or the vi editor. nano firewall-start. If you don't want to use editor, you can do this:

echo "iptables -I FORWARD -s 192.168.2.199 -j DROP" > firewall-start
If you have more lines to add do the same technique but use two greater than sign to append:
echo "iptables -I FORWARD -s 192.168.2.2oo -j DROP" >> firewall-start

Then, issue the command: cat firewall-start to see the contents of the file.

You will need to change the firewall-start permissions so it is executable: The command: chmod 755 firewall-start will take care of it. Then, when you reboot, the iptables commands will be executed. They will drop all packets to the web from that IP address.
 
Techno said:
I logged onto my router web interface today and went to the WAN tab and looked up "Active Connections" and notice two of my ip cams are connecting to a China ip.
Click to expand...

Interesting - shouldn't be happening (unless it ties into some cloud connection) - who is the vendor of the IP cam (including model number)...
 
Another forum member told me his made in China cameras sold here in Thailand want to phone home to Baidu.com. I blacklist Baidu at the two sites I support here.
 
sfx2000 said:
Interesting - shouldn't be happening (unless it ties into some cloud connection) - who is the vendor of the IP cam (including model number)...
Click to expand...

Dahua IPC-HDW4431C-A

Trust me...I logged into the camera and turned everything off that I could find. It's known out there that some of these cams could have "hidden" access that you can't see. Probably some cloud connection or something....
 
Xentrk said:
At a minimum, you need to enable SSH session on the web gui in order to access the linux command line. In the gui, Go to Administration, Select the System Tab. Go to SSH Deamon. Set enable SSH to LAN. If you also select WAN, you open up your router to the web. Don't do it. Here is how you should set it up:
View attachment 8762

While you are at it enable JFFS. Set enable Enable JFFS custom scripts and configs to Yes. Set Format JFFS partition at next boot to Yes. Then reboot. This will create a directory called jffs on the root level.

Then, use a ssh client program like Putty to access the command line. I use MobaXterm. It is free. There is built in editor called Nano you can use to add the line to firewall-start file. Before doing this though, you can just enter the iptables command at the command line and it will persist as long as you don't reboot the router.
Click to expand...

I am good up to here so far....if I am understanding correctly. Once I SSH in using Putty or that app you suggested...btw do I just type in the router IP and my username / password to SSH in? Anyway, I can simply add iptables commands after logging in except they won't be saved if I reboot the router?

Xentrk said:
From there, you can create a subdirectory called scripts.

mkdir /jffs/scripts
cd /jffs/scripts

This is where the firewall-start file needs to reside. You can use the Nano editor to add the iptables command to the file. Or the vi editor. nano firewall-start. If you don't want to use editor, you can do this:

echo "iptables -I FORWARD -s 192.168.2.199 -j DROP" > firewall-start
If you have more lines to add do the same technique but use two greater than sign to append:
echo "iptables -I FORWARD -s 192.168.2.2oo -j DROP" >> firewall-start

Then, issue the command: cat firewall-start to see the contents of the file.

You will need to change the firewall-start permissions so it is executable: The command: chmod 755 firewall-start will take care of it. Then, when you reboot, the iptables commands will be executed. They will drop all packets to the web from that IP address.
Click to expand...

This is where I am starting to get lost a little....if I want to save these iptables commands permanently I have to create a folder called scripts and save a firewall-start file in there? I am not sure how to create a firewall-start file under this newly created scripts subdirectory. Or you say I can simply enter in the specific commands without creating a firewall-start file like this:

echo "iptables -I FORWARD -s 192.168.5.189 -j DROP" >> firewall-start
echo "iptables -I FORWARD -s 192.168.5.190 -j DROP" >> firewall-start
echo "iptables -I FORWARD -s 192.168.5.191 -j DROP" >> firewall-start
and if my last ip is 192 I would put only one greater than sign
echo "iptables -I FORWARD -s 192.168.5.192 -j DROP" > firewall-start

Sorry for the crazy questions but I have never done SSH'd into a linux system before so this is all new to me but willing to learn for sure.
 
Techno said:
I am good up to here so far....if I am understanding correctly. Once I SSH in using Putty or that app you suggested...btw do I just type in the router IP and my username / password to SSH in? Anyway, I can simply add iptables commands after logging in except they won't be saved if I reboot the router?



This is where I am starting to get lost a little....if I want to save these iptables commands permanently I have to create a folder called scripts and save a firewall-start file in there? I am not sure how to create a firewall-start file under this newly created scripts subdirectory. Or you say I can simply enter in the specific commands without creating a firewall-start file like this:

echo "iptables -I FORWARD -s 192.168.5.189 -j DROP" >> firewall-start2
echo "iptables -I FORWARD -s 192.168.5.190 -j DROP" >> firewall-start2
echo "iptables -I FORWARD -s 192.168.5.191 -j DROP" >> firewall-start2
and if my last ip is 192 I would put only one greater than sign
echo "iptables -I FORWARD -s 192.168.5.192 -j DROP" > firewall-start2

Sorry for the crazy questions but I have never done SSH'd into a linux system before so this is all new to me but willing to learn for sure.
Click to expand...

The above will work except you want to use >> for all. If you use one > on the last line, it will wipe out everything else you entered. Ouch! Here is how you should do it (I use firewall-start2 as I already have a firewall-start and don't want to wipe it out).

Code: 
admin@RT-AC88U:/tmp/home/root# cd /jffs/scripts
admin@RT-AC88U:/jffs/scripts# echo "iptables -I FORWARD -s 192.168.5.189 -j DROP" >> firewall-start2
admin@RT-AC88U:/jffs/scripts# echo "iptables -I FORWARD -s 192.168.5.190 -j DROP" >> firewall-start2
admin@RT-AC88U:/jffs/scripts# echo "iptables -I FORWARD -s 192.168.5.191 -j DROP" >> firewall-start2
admin@RT-AC88U:/jffs/scripts# echo "iptables -I FORWARD -s 192.168.5.192 -j DROP" >> firewall-start2
admin@RT-AC88U:/jffs/scripts# cat firewall-start2
iptables -I FORWARD -s 192.168.5.189 -j DROP
iptables -I FORWARD -s 192.168.5.190 -j DROP
iptables -I FORWARD -s 192.168.5.191 -j DROP
iptables -I FORWARD -s 192.168.5.192 -j DROP

Make the file executable: chmod 755 firewall-start

I highly recommend you learn some basic linux commands on the web and learn how to ssh into the router. It will open up more things you can do on your router. There are scripts on the forum for privacy, malware, country block, entware and ad blocking that enhance your router. Again, you will need a ssh client on your PC to ssh into your router.

You can also try the Nano editor built into Merlin Firmware if you want to try that as well. I prefer MobaXterm as my ssh client software. It also has a built in editor. But you need an SFTP session to use it. And that means you would need to install an entware package which is more involved.
 
Last edited:
Xentrk said:
The above will work except you want to use >> for all. If you use one > on the last line, it will wipe out everything else you entered. Ouch! Here is how you should do it (I use firewall-start2 as I already have a firewall-start and don't want to wipe it out).

Code: 
admin@RT-AC88U:/tmp/home/root# cd /jffs/scripts
admin@RT-AC88U:/jffs/scripts# echo "iptables -I FORWARD -s 192.168.5.189 -j DROP" >> firewall-start2
admin@RT-AC88U:/jffs/scripts# echo "iptables -I FORWARD -s 192.168.5.190 -j DROP" >> firewall-start2
admin@RT-AC88U:/jffs/scripts# echo "iptables -I FORWARD -s 192.168.5.191 -j DROP" >> firewall-start2
admin@RT-AC88U:/jffs/scripts# echo "iptables -I FORWARD -s 192.168.5.192 -j DROP" >> firewall-start2
admin@RT-AC88U:/jffs/scripts# cat firewall-start2
iptables -I FORWARD -s 192.168.5.189 -j DROP
iptables -I FORWARD -s 192.168.5.190 -j DROP
iptables -I FORWARD -s 192.168.5.191 -j DROP
iptables -I FORWARD -s 192.168.5.192 -j DROP

Make the file executable: chmod 755 firewall-start

I highly recommend you learn some basic linux commands on the web and learn how to ssh into the router. It will open up more things you can do on your router. There are scripts on the forum for privacy, malware, country block, entware and ad blocking that enhance your router. Again, you will need a ssh client on your PC to ssh into your router.

You can also try the Nano editor built into Merlin Firmware if you want to try that as well. I prefer MobaXterm as my ssh client software. It also has a built in editor. But you need an SFTP session to use it. And that means you would need to install an entware package which is more involved.
Click to expand...

Ok, its getting a little bit clearer....I think my only hang up at this point is whether I need to just use Putty and input those iptables commands into the /jffs/scripts directory or do I NEED to use that other app and use that editor (Nano) to input the firewall-start file? I believe you said the difference is if I just use putty and input the commands if I reboot the router all will be lost.

Obviously, rebooting the router happens from time to time so I believe I would rather make this a permanent thing so I guess I need a little more info on how to use the editor inside the MobaXterm app...I have never used that before...I have used putty to telnet and console into a cisco switch but that is about the extent of my experience.

Also, just wanted to report back that last night I went into network map and found the IP address of the cam in question and selected to "block internet access"...well that appears to have killed my access via VPN. I just tried while on break today and that was the only cam that did not show up so I'm thinking it's more than a coincidence that it doesn't work! This is a no go for me as I use VPN to view my cams quite often....I'm just curious if putting in these FW rules (iptables) is going to effect VPN connection as well since it will not allow the cams to make and "outbound" connection?
 
You must log in or register to reply here.

Similar threads

bengalih
Need help with OpenVPN server configured in non-routing mode
Replies
1
Views
854
bengalih
bengalih
N
[Need Help Plz] RT-AX86U not picking up WAN IP from XB7
Replies
7
Views
1K
L&LD
L&LD
D
When connected to my GT-AX6000 something is not allowing certain apps or functions to work on our phones and I need help how to troubleshoot
2
Replies
30
Views
3K
dyer4789
D
K
Issues with dual router setup
Replies
5
Views
2K
Tech9
Tech9
M
Asus RT-AX89X How to add A firewall blacklist composed of Stretchoid scanners
Replies
0
Views
2K
majika
M
Similar threads
Thread starter Title Forum Replies Date
el_pedr0 Please help me diagnose knotty routing problem Asuswrt-Merlin 4
H Virgin FTTP and ASUS AXE16000 problems…… please help. Asuswrt-Merlin 6
A Help Required Upgrading AC68U from Stock FW to Merlin Please? Asuswrt-Merlin 15
F ASUS RT-AC86U (merlin Current Version : 386.12_6): jffs2: Argh. No free space left for GC. Can you help me troubleshoot this please? Asuswrt-Merlin 6
J Help Please Upgrade Time Asuswrt-Merlin 4
T [Help] Problems setting up OpenVPN Asuswrt-Merlin 7
staralfur12 Need help with Namecheap -> Router -> Caddy Asuswrt-Merlin 10
P Asus aimesh node disconnects frequently, corresponding log entries recorded. Need help understanding the log. Asuswrt-Merlin 5
V Asus RT-AX3000 Help Asuswrt-Merlin 5
StrikerXXX Need help configuring NextDNS Asuswrt-Merlin 14

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 806 (members: 33, guests: 773)
Top