Help Please..Need assistance stopping outbound connections!

[Martineau]

Can you publish the latest version (with add for enabled UPnP) ?

v1.03 posted (339 lines! )
https://www.snbforums.com/threads/h...outbound-connections.38086/page-2#post-314785

 

[Goran]

v1.03 posted (339 lines! )

Working great.
Tnx.

 

[vivithemage]

However, if you still wish to modify IPCamsBlock.sh to allow the home IP Cameras to be viewed remotely via either a secure VPN or Port Forward WAN connection, then modify the existing firewall rule creation code as follows:

Firewall $ACTION FORWARD -s $CAMERA -i br0 ! -o tun2+ -j DROP

change to

Firewall $ACTION FORWARD -s $CAMERA -i br0 -o $(nvram get wan0_ifname) -m state --state NEW -j DROP
Firewall $ACTION FORWARD -s $CAMERA -i br0 -o tun2+ -j ACCEPT

The two rules should now explicitly block the IP camera from initiating a new outbound WAN session (but implicitly allow outbound WAN IP camera traffic in response to an initiated inbound request via any Port Forward) and still allow outbound IP camera traffic via either of the VPN servers.

Hi Martineau, thanks for all your help, i've seen you post on a few forums, linking back here, so i'll reply here .

I have these 4 rules in my tomatoUSB firewall script, and they automatically kick it in every boot, which is nice.

iptables -I FORWARD 1 -s 10.100.10.17 -o eth0 -p udp --dport 123 -j ACCEPT
iptables -I FORWARD 2 -s 10.100.10.17 -o eth0 -j DROP
iptables -I FORWARD 3 -s 10.100.10.18 -o eth0 -p udp --dport 123 -j ACCEPT
iptables -I FORWARD 4 -s 10.100.10.18 -o eth0 -j DROP

The testing I have done, my openVPN (setup to connect on the router), allows me to access my cameras. As far as I can tell, my NTP works on my FDT cameras to a DNS NTP server on the internet. Are you sure those two forwards are needed? I just want to make sure I am not missing anything.

 

[pilot04]

v1.03 posted (339 lines! )
https://www.snbforums.com/threads/h...outbound-connections.38086/page-2#post-314785

Hi Martineau, thanks for your IPCamsBlock.sh script as it is working perfectly to block my IP cameras from outbound connections. I'm trying to tweak it to allow my two NVRs to send out email alerts for IVS triggers. I'm hoping to piggyback on to this thread but can start a new thread if needed.

I'm a beginner with iptables and need advice on properly allowing two NVRs to send out emails to a SMTP server. I looked at iptables howto and not clear on best safest rule to append to IPCamsBlock script. Thanks.

SMTP server = smtp.acme.net
SMTP server port = 587
NVR#1 ip addr = 192.168.5.100
NVR#2 ip addr = 192.168.5.101

My initial stab at FW rule
iptables -A INPUT -i eth0 -p tcp --dport 587 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 587 -m state --state ESTABLISHED -j ACCEPT

Do I also need DNS query below like I've seen in some online examples?
iptables -A INPUT -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

 

[Martineau]

Hi Martineau, thanks for your IPCamsBlock.sh script as it is working perfectly to block my IP cameras from outbound connections. I'm trying to tweak it to allow my two NVRs to send out email alerts for IVS triggers. I'm hoping to piggyback on to this thread but can start a new thread if needed.

I'm a beginner with iptables and need advice on properly allowing two NVRs to send out emails to a SMTP server. I looked at iptables howto and not clear on best safest rule to append to IPCamsBlock script. Thanks.

SMTP server = smtp.acme.net
SMTP server port = 587
NVR#1 ip addr = 192.168.5.100
NVR#2 ip addr = 192.168.5.101

My initial stab at FW rule
iptables -A INPUT -i eth0 -p tcp --dport 587 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 587 -m state --state ESTABLISHED -j ACCEPT

Do I also need DNS query below like I've seen in some online examples?
iptables -A INPUT -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

If you wish to allow SMTP from the two specific LAN devices, 192.168.5.100 and 192.168.5.101 then the following should be added (where NTP port 123 is processed in the script)

Firewall $ACTION  FORWARD $FWRULENO -s 192.168.5.100/31 -d smtp.acme.net -o $(nvram get wan0_ifname) -p tcp -m tcp --dport 587 -j ACCEPT

NOTE: 192.168.5.100/31 is shorthand CIDR format, since the two IP addresses are in a contiguous/consecutive range that can be covered by a single rule but two individual rules may be clearer

Firewall $ACTION  FORWARD $FWRULENO -s 192.168.5.101 -d smtp.acme.net -o $(nvram get wan0_ifname) -p tcp -m tcp --dport 587 -j ACCEPT
Firewall $ACTION  FORWARD $FWRULENO -s 192.168.5.100 -d smtp.acme.net -o $(nvram get wan0_ifname) -p tcp -m tcp --dport 587 -j ACCEPT

 

[pilot04]

If you wish to allow SMTP from the two specific LAN devices, 192.168.5.100 and 192.168.5.101 then the following should be added (where NTP port 123 is processed in the script)

Firewall $ACTION  FORWARD $FWRULENO -s 192.168.5.100/31 -d smtp.acme.net -o $(nvram get wan0_ifname) -p tcp -m tcp --dport 587 -j ACCEPT

NOTE: 192.168.5.100/31 is shorthand CIDR format, since the two IP addresses are in a contiguous/consecutive range that can be covered by a single rule but two individual rules may be clearer

Firewall $ACTION  FORWARD $FWRULENO -s 192.168.5.101 -d smtp.acme.net -o $(nvram get wan0_ifname) -p tcp -m tcp --dport 587 -j ACCEPT
Firewall $ACTION  FORWARD $FWRULENO -s 192.168.5.100 -d smtp.acme.net -o $(nvram get wan0_ifname) -p tcp -m tcp --dport 587 -j ACCEPT

Thank you for the firewall rules. I'll give the two individual rules a try as that allows granularity to enable/disable email per NVR and probably easier to visualize as a newbie.

 

[pilot04]

The SMTP firewall rules doesn't seem to be allowing the NVR to send out emails to the SMTP server. I'll play with it some more in the next couple of days.

 

[Martineau]

The SMTP firewall rules doesn't seem to be allowing the NVR to send out emails to the SMTP server. I'll play with it some more in the next couple of days.

If you have a PPPoE connection then sadly the rules won't work , as the NVRAM variable wan0_ifname will not resolve to your pppX interface, so you should remove the directive '-o $(nvram get wan0_ifname) '

If you still have problems, then you will need to provide the output of

iptables -nvL FORWARD --line -t filter

having obfuscated your WAN IP etc.

 

[pilot04]

If you have a PPoE connection then sadly the rules won't work , as the NVRAM variable wan0_ifname will not resolve to your pppX interface, so you should remove the directive '-o $(nvram get wan0_ifname) '

If you still have problems, then you will need to provide the output of

iptables -nvL FORWARD --line -t filter

having obfuscated your WAN IP etc.

Thanks for that tip. My SMTP rule is working now! Additionally, now my NTP syncs also work as well and was wondering why my cameras were starting to shift from timestamp on NVR I replaced with "ppp0" instead of the "vlan201" from that variable. The rule below works so I'm not planning to tweak it unless there is a better or more secure suggestion. Cheers.

Firewall $ACTION  FORWARD $FWRULENO -s 192.168.5.100 -d smtp.acme.net -o ppp0 -p tcp -m state --state NEW,ESTABLISHED --dport 587 -j ACCEPT

 

[pilot04]

If you have a PPoE connection then sadly the rules won't work , as the NVRAM variable wan0_ifname will not resolve to your pppX interface, so you should remove the directive '-o $(nvram get wan0_ifname) '

I guess this means I will have to do a find and replace on all the '$(nvram get wan0_ifname) ' with my real 'ppp0' in your IPCamsBlock.sh script right? I see some are '-i' and some are '-o' with that variable name.

 

[Martineau]

I guess this means I will have to do a find and replace on all the '$(nvram get wan0_ifname) ' with my real 'ppp0' in your IPCamsBlock.sh script right?

Apologies...Yes.

Sadly it is all to easy to forget that I need to update legacy scripts I have previously posted that still use the NVRAM 'wan0_ifname' variable which isn't valid for PPPoE WAN connections.

Consequently I have now updated the script; v1.04 now uses a function to identify the true WAN interface :

WAN_IF=$(Get_WAN_IF_Name)

and I now use this local variable in the iptables rules
e.g.

Firewall $ACTION FORWARD $FWRULENO -o $WAN_IF .............. etc.

 

[pilot04]

Martineau, no apologies needed and thanks for updating the IPCamsBlock script to properly handle PPPoE WAN connections. I'll download the v1.04 script and use that instead of manually find and replace to hardcode in my pppX in the existing script. Cheers!

 

[Krvicch]

If you wish to allow SMTP from the two specific LAN devices, 192.168.5.100 and 192.168.5.101 then the following should be added (where NTP port 123 is processed in the script)

Firewall $ACTION  FORWARD $FWRULENO -s 192.168.5.100/31 -d smtp.acme.net -o $(nvram get wan0_ifname) -p tcp -m tcp --dport 587 -j ACCEPT

NOTE: 192.168.5.100/31 is shorthand CIDR format, since the two IP addresses are in a contiguous/consecutive range that can be covered by a single rule but two individual rules may be clearer

Firewall $ACTION  FORWARD $FWRULENO -s 192.168.5.101 -d smtp.acme.net -o $(nvram get wan0_ifname) -p tcp -m tcp --dport 587 -j ACCEPT
Firewall $ACTION  FORWARD $FWRULENO -s 192.168.5.100 -d smtp.acme.net -o $(nvram get wan0_ifname) -p tcp -m tcp --dport 587 -j ACCEPT

I would like to do the same for smtp.gmail.com. Unfortunately, the IP address associated with smtp.gmail.com changes reguarly, so this method is only effective for a day or so. Any ideas on how to allow ongoing access for smtp.gmail.com servers to my ip cameras blocked by this script?

 

[DonnyJohnny]

nslookup smtp.gmail.com
Result
Address 1: 2a00:1450:4013:c00::6d
Address 2: 108.177.119.108
Address 3: 108.177.119.109

So u just add ip instead of domain.

 

[Krvicch]

nslookup smtp.gmail.com
Result
Address 1: 2a00:1450:4013:c00::6d
Address 2: 108.177.119.108
Address 3: 108.177.119.109

So u just add ip instead of domain.

Problem is that google changes its smtp server ip addresses regularly. Yesterday, when I did a nslookup on smtp.gmail.com it resolved to 173.194.197.108. I used that and things worked great. Then today, the cameras stopped sending mail. Checked nslookup on smtp.gmail.com today and it resolved to 74.125.126.108. So, this method only works until Google changes the smtp server ip address.

 

[DonnyJohnny]

I have limited knowledge with scripting.
You can see this website site for reference .
https://unix.stackexchange.com/ques...ic-only-from-a-domain-with-dynamic-ip-address

Thinking along this line where u need to set a schedule to update the iptables at an interval. Modify the script accordingly.

 

[Martineau]

Problem is that google changes its smtp server ip addresses regularly. Yesterday, when I did a nslookup on smtp.gmail.com it resolved to 173.194.197.108. I used that and things worked great. Then today, the cameras stopped sending mail. Checked nslookup on smtp.gmail.com today and it resolved to 74.125.126.108. So, this method only works until Google changes the smtp server ip address.

You can try this IPSET technique to have the router automatically collate the dynamic list of IPs associated with the domain.

As a proof of concept, enter the following commands:

ipset create Gmail_smtp hash:ip

echo ipset=/smtp.gmail.com/Gmail_smtp >> /jffs/configs/dnsmasq.conf.add
service restart_dnsmasq

nslookup smtp.gmail.com

ipset list Gmail_smtp

IPSET 'Gmail_smtp' will now contain a 'current' list of IPs associated with domain 'smtp.gmail.com'
NOTE: This list of IPs will be lost @ Reboot unless it is appropriately saved/restored etc.

So you should now use in the script this rule

Firewall $ACTION $CHAIN $FWRULENO -i br0 -o $WAN_IF -m set --match-set Gmail_smtp dst -j ACCEPT

NOTE: Any LAN device references to 'smtp.gmail.com' will cause the IPSET to be updated. (Clearly you can also force the refresh by scheduling the 'nslookup' command say once a day although this is not normally required.)

 

[Xentrk]

I have limited knowledge with scripting.
You can see this website site for reference .
https://unix.stackexchange.com/ques...ic-only-from-a-domain-with-dynamic-ip-address

Thinking along this line where u need to set a schedule to update the iptables at an interval. Modify the script accordingly.

I saw a similar topic in another thread. The other methods people mentioned are using Skynet, AB-Solution and iptables.

I noticed in your signature that you are running Skynet. It has the feature to block by domain name. Here are the steps:

Select Menu Option:
[1]  --> Unban
[2]  --> Ban
[3]  --> Banmalware
[4]  --> Whitelist
[5]  --> Import IP List
[6]  --> Deport IP List
[7]  --> Save
[8]  --> Restart Skynet
[9]  --> Temporarily Disable Skynet
[10] --> Update Skynet
[11] --> Debug Options
[12] --> Stats
[13] --> Install Skynet / Change Boot Options
[14] --> Uninstall

[r]  --> Reload Menu
[e]  --> Exit Menu

[1-14]: 2

What Type Of Input Would You Like To Ban:
[1]  --> IP
[2]  --> Range
[3]  --> Domain
[4]  --> Country

[1-4]: 3

Input Domain To Ban: smtp.gmail.com

[URL]:

Some mentioned using the blacklist feature of AB-Solution to block by domain names.

For one domain, you can try using iptables command:

iptables -A INPUT -p tcp -m tcp -d smtp.gmail.com -j DROP

You can place it firewall-start to survive reboot. If you want to only drop the connection to smtp.gmail.com when the source is the camera, you will have to add the source ip address of the client to the iptables command.

iptables -A INPUT -p tcp -m tcp -s xxx.xxx.xxx.xxx -d smtp.gmail.com -j DROP

 

[DonnyJohnny]

I saw a similar topic in another thread. The other methods people mentioned are using Skynet, AB-Solution and iptables.

I noticed in your signature that you are running Skynet. It has the feature to block by domain name. Here are the steps:

Select Menu Option:
[1]  --> Unban
[2]  --> Ban
[3]  --> Banmalware
[4]  --> Whitelist
[5]  --> Import IP List
[6]  --> Deport IP List
[7]  --> Save
[8]  --> Restart Skynet
[9]  --> Temporarily Disable Skynet
[10] --> Update Skynet
[11] --> Debug Options
[12] --> Stats
[13] --> Install Skynet / Change Boot Options
[14] --> Uninstall

[r]  --> Reload Menu
[e]  --> Exit Menu

[1-14]: 2

What Type Of Input Would You Like To Ban:
[1]  --> IP
[2]  --> Range
[3]  --> Domain
[4]  --> Country

[1-4]: 3

Input Domain To Ban: smtp.gmail.com

[URL]:

Some mentioned using the blacklist feature of AB-Solution to block by domain names.

For one domain, you can try using iptables command:

iptables -A INPUT -p tcp -m tcp -d smtp.gmail.com -j DROP

You can place it firewall-start to survive reboot. If you want to only drop the connection to smtp.gmail.com when the source is the camera, you will have to add the source ip address of the client to the iptables command.

iptables -A INPUT -p tcp -m tcp -s xxx.xxx.xxx.xxx -d smtp.gmail.com -j DROP

Not me asking the question. I am also learning.
Think @Krvicch intention is to allow specific LAN IP to access a particular domain and drop the rest. Not block.
Martineau solution is straight forward and seems easy to apply.
@Martineau how to save the ipset list and restore after reboot? Can I save a copy in USB drive or jffs?

 

[Martineau]

@Martineau how to save the ipset list and restore after reboot? Can I save a copy in USB drive or jffs?

Yes, use cru/cron to backup the ipset

DIR="my_directory_path"
ipset save Gmail_smtp  > /tmp/mnt/$DIR/Gmail_smtp.config

...then in post-mount use

DIR="my_directory_path"
ipset restore -f  /tmp/mnt/$DIR/Gmail_smtp.config