Martineau
Part of the Furniture
Can you publish the latest version (with add for enabled UPnP) ?
v1.03 posted (339 lines! )
https://www.snbforums.com/threads/h...outbound-connections.38086/page-2#post-314785
Last edited:
Can you publish the latest version (with add for enabled UPnP) ?
However, if you still wish to modify IPCamsBlock.sh to allow the home IP Cameras to be viewed remotely via either a secure VPN or Port Forward WAN connection, then modify the existing firewall rule creation code as follows:
change toCode:Firewall $ACTION FORWARD -s $CAMERA -i br0 ! -o tun2+ -j DROP
Code:Firewall $ACTION FORWARD -s $CAMERA -i br0 -o $(nvram get wan0_ifname) -m state --state NEW -j DROP Firewall $ACTION FORWARD -s $CAMERA -i br0 -o tun2+ -j ACCEPT
The two rules should now explicitly block the IP camera from initiating a new outbound WAN session (but implicitly allow outbound WAN IP camera traffic in response to an initiated inbound request via any Port Forward) and still allow outbound IP camera traffic via either of the VPN servers.
iptables -I FORWARD 1 -s 10.100.10.17 -o eth0 -p udp --dport 123 -j ACCEPT
iptables -I FORWARD 2 -s 10.100.10.17 -o eth0 -j DROP
iptables -I FORWARD 3 -s 10.100.10.18 -o eth0 -p udp --dport 123 -j ACCEPT
iptables -I FORWARD 4 -s 10.100.10.18 -o eth0 -j DROP
v1.03 posted (339 lines! )
https://www.snbforums.com/threads/h...outbound-connections.38086/page-2#post-314785
Hi Martineau, thanks for your IPCamsBlock.sh script as it is working perfectly to block my IP cameras from outbound connections. I'm trying to tweak it to allow my two NVRs to send out email alerts for IVS triggers. I'm hoping to piggyback on to this thread but can start a new thread if needed.
I'm a beginner with iptables and need advice on properly allowing two NVRs to send out emails to a SMTP server. I looked at iptables howto and not clear on best safest rule to append to IPCamsBlock script. Thanks.
SMTP server = smtp.acme.net
SMTP server port = 587
NVR#1 ip addr = 192.168.5.100
NVR#2 ip addr = 192.168.5.101
My initial stab at FW rule
iptables -A INPUT -i eth0 -p tcp --dport 587 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 587 -m state --state ESTABLISHED -j ACCEPT
Do I also need DNS query below like I've seen in some online examples?
iptables -A INPUT -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
Firewall $ACTION FORWARD $FWRULENO -s 192.168.5.100/31 -d smtp.acme.net -o $(nvram get wan0_ifname) -p tcp -m tcp --dport 587 -j ACCEPT
Firewall $ACTION FORWARD $FWRULENO -s 192.168.5.101 -d smtp.acme.net -o $(nvram get wan0_ifname) -p tcp -m tcp --dport 587 -j ACCEPT
Firewall $ACTION FORWARD $FWRULENO -s 192.168.5.100 -d smtp.acme.net -o $(nvram get wan0_ifname) -p tcp -m tcp --dport 587 -j ACCEPT
Thank you for the firewall rules. I'll give the two individual rules a try as that allows granularity to enable/disable email per NVR and probably easier to visualize as a newbie.If you wish to allow SMTP from the two specific LAN devices, 192.168.5.100 and 192.168.5.101 then the following should be added (where NTP port 123 is processed in the script)
NOTE: 192.168.5.100/31 is shorthand CIDR format, since the two IP addresses are in a contiguous/consecutive range that can be covered by a single rule but two individual rules may be clearerCode:Firewall $ACTION FORWARD $FWRULENO -s 192.168.5.100/31 -d smtp.acme.net -o $(nvram get wan0_ifname) -p tcp -m tcp --dport 587 -j ACCEPT
Code:Firewall $ACTION FORWARD $FWRULENO -s 192.168.5.101 -d smtp.acme.net -o $(nvram get wan0_ifname) -p tcp -m tcp --dport 587 -j ACCEPT Firewall $ACTION FORWARD $FWRULENO -s 192.168.5.100 -d smtp.acme.net -o $(nvram get wan0_ifname) -p tcp -m tcp --dport 587 -j ACCEPT
The SMTP firewall rules doesn't seem to be allowing the NVR to send out emails to the SMTP server. I'll play with it some more in the next couple of days.
iptables -nvL FORWARD --line -t filter
Thanks for that tip. My SMTP rule is working now! Additionally, now my NTP syncs also work as well and was wondering why my cameras were starting to shift from timestamp on NVR I replaced with "ppp0" instead of the "vlan201" from that variable. The rule below works so I'm not planning to tweak it unless there is a better or more secure suggestion. Cheers.If you have a PPoE connection then sadly the rules won't work , as the NVRAM variable wan0_ifname will not resolve to your pppX interface, so you should remove the directive '-o $(nvram get wan0_ifname) '
If you still have problems, then you will need to provide the output of
Code:iptables -nvL FORWARD --line -t filter
having obfuscated your WAN IP etc.
Firewall $ACTION FORWARD $FWRULENO -s 192.168.5.100 -d smtp.acme.net -o ppp0 -p tcp -m state --state NEW,ESTABLISHED --dport 587 -j ACCEPT
I guess this means I will have to do a find and replace on all the '$(nvram get wan0_ifname) ' with my real 'ppp0' in your IPCamsBlock.sh script right? I see some are '-i' and some are '-o' with that variable name.If you have a PPoE connection then sadly the rules won't work , as the NVRAM variable wan0_ifname will not resolve to your pppX interface, so you should remove the directive '-o $(nvram get wan0_ifname) '
I guess this means I will have to do a find and replace on all the '$(nvram get wan0_ifname) ' with my real 'ppp0' in your IPCamsBlock.sh script right?
WAN_IF=$(Get_WAN_IF_Name)
Firewall $ACTION FORWARD $FWRULENO -o $WAN_IF .............. etc.
If you wish to allow SMTP from the two specific LAN devices, 192.168.5.100 and 192.168.5.101 then the following should be added (where NTP port 123 is processed in the script)
NOTE: 192.168.5.100/31 is shorthand CIDR format, since the two IP addresses are in a contiguous/consecutive range that can be covered by a single rule but two individual rules may be clearerCode:Firewall $ACTION FORWARD $FWRULENO -s 192.168.5.100/31 -d smtp.acme.net -o $(nvram get wan0_ifname) -p tcp -m tcp --dport 587 -j ACCEPT
Code:Firewall $ACTION FORWARD $FWRULENO -s 192.168.5.101 -d smtp.acme.net -o $(nvram get wan0_ifname) -p tcp -m tcp --dport 587 -j ACCEPT Firewall $ACTION FORWARD $FWRULENO -s 192.168.5.100 -d smtp.acme.net -o $(nvram get wan0_ifname) -p tcp -m tcp --dport 587 -j ACCEPT
Problem is that google changes its smtp server ip addresses regularly. Yesterday, when I did a nslookup on smtp.gmail.com it resolved to 173.194.197.108. I used that and things worked great. Then today, the cameras stopped sending mail. Checked nslookup on smtp.gmail.com today and it resolved to 74.125.126.108. So, this method only works until Google changes the smtp server ip address.nslookup smtp.gmail.com
Result
Address 1: 2a00:1450:4013:c00::6d
Address 2: 108.177.119.108
Address 3: 108.177.119.109
So u just add ip instead of domain.
Problem is that google changes its smtp server ip addresses regularly. Yesterday, when I did a nslookup on smtp.gmail.com it resolved to 173.194.197.108. I used that and things worked great. Then today, the cameras stopped sending mail. Checked nslookup on smtp.gmail.com today and it resolved to 74.125.126.108. So, this method only works until Google changes the smtp server ip address.
ipset create Gmail_smtp hash:ip
echo ipset=/smtp.gmail.com/Gmail_smtp >> /jffs/configs/dnsmasq.conf.add
service restart_dnsmasq
nslookup smtp.gmail.com
ipset list Gmail_smtp
Firewall $ACTION $CHAIN $FWRULENO -i br0 -o $WAN_IF -m set --match-set Gmail_smtp dst -j ACCEPT
I saw a similar topic in another thread. The other methods people mentioned are using Skynet, AB-Solution and iptables.I have limited knowledge with scripting.
You can see this website site for reference .
https://unix.stackexchange.com/ques...ic-only-from-a-domain-with-dynamic-ip-address
Thinking along this line where u need to set a schedule to update the iptables at an interval. Modify the script accordingly.
Select Menu Option:
[1] --> Unban
[2] --> Ban
[3] --> Banmalware
[4] --> Whitelist
[5] --> Import IP List
[6] --> Deport IP List
[7] --> Save
[8] --> Restart Skynet
[9] --> Temporarily Disable Skynet
[10] --> Update Skynet
[11] --> Debug Options
[12] --> Stats
[13] --> Install Skynet / Change Boot Options
[14] --> Uninstall
[r] --> Reload Menu
[e] --> Exit Menu
[1-14]: 2
What Type Of Input Would You Like To Ban:
[1] --> IP
[2] --> Range
[3] --> Domain
[4] --> Country
[1-4]: 3
Input Domain To Ban: smtp.gmail.com
[URL]:
iptables -A INPUT -p tcp -m tcp -d smtp.gmail.com -j DROP
iptables -A INPUT -p tcp -m tcp -s xxx.xxx.xxx.xxx -d smtp.gmail.com -j DROP
Not me asking the question. I am also learning.I saw a similar topic in another thread. The other methods people mentioned are using Skynet, AB-Solution and iptables.
I noticed in your signature that you are running Skynet. It has the feature to block by domain name. Here are the steps:
Some mentioned using the blacklist feature of AB-Solution to block by domain names.Code:Select Menu Option: [1] --> Unban [2] --> Ban [3] --> Banmalware [4] --> Whitelist [5] --> Import IP List [6] --> Deport IP List [7] --> Save [8] --> Restart Skynet [9] --> Temporarily Disable Skynet [10] --> Update Skynet [11] --> Debug Options [12] --> Stats [13] --> Install Skynet / Change Boot Options [14] --> Uninstall [r] --> Reload Menu [e] --> Exit Menu [1-14]: 2 What Type Of Input Would You Like To Ban: [1] --> IP [2] --> Range [3] --> Domain [4] --> Country [1-4]: 3 Input Domain To Ban: smtp.gmail.com [URL]:
For one domain, you can try using iptables command:
You can place it firewall-start to survive reboot. If you want to only drop the connection to smtp.gmail.com when the source is the camera, you will have to add the source ip address of the client to the iptables command.Code:iptables -A INPUT -p tcp -m tcp -d smtp.gmail.com -j DROP
Code:iptables -A INPUT -p tcp -m tcp -s xxx.xxx.xxx.xxx -d smtp.gmail.com -j DROP
@Martineau how to save the ipset list and restore after reboot? Can I save a copy in USB drive or jffs?
DIR="my_directory_path"
ipset save Gmail_smtp > /tmp/mnt/$DIR/Gmail_smtp.config
DIR="my_directory_path"
ipset restore -f /tmp/mnt/$DIR/Gmail_smtp.config
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!