How to block ip camera from accessing the internet

[john9527]

a question: i have to do this?
chmod a+rx /jffs/scripts/firewall-start

Yes....it must be marked executable

EDIT: Also, since I'm not sure how you created the file....run

dos2unix /jffs/scripts/firewall-start

 

[Andrea F11]

Yes....it must be marked executable

EDIT: Also, since I'm not sure how you created the file....run

dos2unix /jffs/scripts/firewall-start

in fact I had not done: I do it now and then reboot ok?

 

[john9527]

in fact I had not done: I do it now and then reboot ok?

That should do it.....give it a go!

 

[Andrea F11]

GREAT john!!

IT WORKS

 

[Andrea F11]

a question: I see that browsers of PCs that are not locked, often make the page refreshes.

for example if you are in the configuration page of Asus Router, after just comes out and asks me to authenticate again

 

[john9527]

a question: I see that browsers of PCs that are not locked, often make the page refreshes.

for example if you are in the configuration page of Asus Router, after just comes out and asks me to authenticate again

I'm not sure I fully understand your question.....but there is an inactivity timeout that is set for the router gui.
If I remember correctly it's on the Administration>System page.

PS - Glad you have your script working

 

[Andrea F11]

many thanks to you for your invaluable help

 

[zamar29]

How I can block any IP Cam access from web (WAN) in an ASUS router UI settings, while allowing the cam to check only a certain time server on the web, but not serve any data. At the same time allowing access to the cam from LAN and receive video stream from its integrated server on any PC on LAN?

 

[Zirescu]

How I can block any IP Cam access from web (WAN) in an ASUS router UI settings, while allowing the cam to check only a certain time server on the web, but not serve any data. At the same time allowing access to the cam from LAN and receive video stream from its integrated server on any PC on LAN?

You'll probably want to setup a Network Services Filter under the Firewall settings to only allow NTP traffic.

 

[zamar29]

We access internet from PCs via the same router. For what IP should I setup such filter - only for IP cam? And block everything else in both directions? I don't see in my router Firewall settings separate filter choices for WAN and LAN traffic. Are they in different UI windows?

 

[agilani]

You boys are over complicating this a bit aren't you?

For any client you don't want internet access for...

Click on network map on the left under general
Click on the Client icon on the right for the specific client
Click on block internet access
Click Apply

Or

Setup the camera with a static ip address and leave the default gateway blank - make sure you create reservations for these or change the dhcp scope so it does not overlap

Setup your cameras to point to an internal ntp server

 

[Zirescu]

You boys are over complicating this a bit aren't you?

For any client you don't want internet access for...

Click on network map on the left under general
Click on the Client icon on the right for the specific client
Click on block internet access
Click Apply

Or

Setup the camera with a static ip address and leave the default gateway blank - make sure you create reservations for these or change the dhcp scope so it does not overlap

Setup your cameras to point to an internal ntp server

You've made the assumption that the NTP server the camera uses can be changed and there is an available internal NTP server.

 

[agilani]

You've made the assumption that the NTP server the camera uses can be changed and there is an available internal NTP server.

I have 5 different brands of ip cameras and they all have an ntp field.... Also I don't rely on the cameras to provide the timestamp, my blue iris server does that.

 

[Zirescu]

We access internet from PCs via the same router. For what IP should I setup such filter - only for IP cam? And block everything else in both directions? I don't see in my router Firewall settings separate filter choices for WAN and LAN traffic. Are they in different UI windows?

Actually you'd be better off doing it via the firewall-start script. Refer back to post #10 and read through for setting things up correctly.

 

[Zirescu]

I have 5 different brands of ip cameras and they all have an ntp field.... Also I don't rely on the cameras to provide the timestamp, my blue iris server does that.

Yeah, my "SmartCam" doesn't use an NTP server but it's time gets updated from the app on connection.

 

[KopliuNaShubu]

Hello, I have a IP Camera with some shady software on it. Replacing the camera and system is out of the budget right now so I want to prevent the camera from accessing the internet by using router features.

I have the latest asuswrt build (Dec 24 2015 I think) and using the Network Service Filter I put each camera and the NVR ip's as the source IP address's and set destination port range to 80 and for protocol i set a rule for TCP and UDP. But I notice that I can still access the internet from a device using ping (ICMP protocol which there is not a setting for). I'm not expert on hacking via the web, so the fact that a device can reach the web via ping but not www lets me know I probably need to do a lot more to achieve my goal.

How can I use the asuswrt-merlin software to make sure a device with shady software cant be accessed via the WWW, and can't access the WWW? I have the Asus RT-AC66U

Hi,
Usually by default the router has restricted access on your camera. The camera uses special ip port. Usually it is different from that one http - 80 . So Most probably you should not worry your camera is accessed through internet. Only through intranet. However in order to check it you can do one thing. Find out your ip address. You can google how to find your ip address. it should not start with 192.168....<- this ip has a local visibility only. Also once you found your ip you can try accessing your cam by (your_ip:your_port) . If it is accessible then turn on your firewall on the router. In order to restrict the specific ip go to your router address in browser and in menu in settings disallow the port the camera uses. Below are the examples of cameras which are exposed and you can click on the cam to see the settings/ check the cam:
http://www.viralcameras.com/0/posts...y-online-camera-nigde-watch-cam-defeway-.html

So, if you want to be sure your camera is not accessible from outside you have 2 options:
1) setup properly your router
2) not to connect you camera to the internet at all.

 

[Pedsteruk]

Sorry to join an old thread however I am trying to achieve the same thing on my RT-AC68U 380.66.4.

I can confirm my script is executing in the system log however the traffic on the IPs is not getting blocked.

Can someone advise if I have something wrong or some syntax has changed since this post?

#!/bin/sh
iptables -I FORWARD 1 -s 191.128.1.99 -o eth0 -p udp --dport 123 -j ACCEPT
iptables -I FORWARD 2 -s 191.128.1.99 -o eth0 -j DROP
iptables -I FORWARD 3 -s 191.128.1.42 -o eth0 -p udp --dport 123 -j ACCEPT
iptables -I FORWARD 4 -s 191.128.1.42 -o eth0 -j DROP
iptables -I FORWARD 5 -s 191.128.1.60 -o eth0 -p udp --dport 123 -j ACCEPT
iptables -I FORWARD 6 -s 191.128.1.60 -o eth0 -j DROP
iptables -I FORWARD 6 -s 191.128.1.200 -o eth0 -j DROP
echo "*" >>/tmp/000firewall-start

 

[Veky]

Those seem to be public, not private IP addresses, you better double check them.

 

[Martineau]

Sorry to join an old thread however I am trying to achieve the same thing on my RT-AC68U 380.66.4.

I can confirm my script is executing in the system log however the traffic on the IPs is not getting blocked.

Can someone advise if I have something wrong or some syntax has changed since this post?

#!/bin/sh
iptables -I FORWARD 1 -s 191.128.1.99 -o eth0 -p udp --dport 123 -j ACCEPT
iptables -I FORWARD 2 -s 191.128.1.99 -o eth0 -j DROP
iptables -I FORWARD 3 -s 191.128.1.42 -o eth0 -p udp --dport 123 -j ACCEPT
iptables -I FORWARD 4 -s 191.128.1.42 -o eth0 -j DROP
iptables -I FORWARD 5 -s 191.128.1.60 -o eth0 -p udp --dport 123 -j ACCEPT
iptables -I FORWARD 6 -s 191.128.1.60 -o eth0 -j DROP
iptables -I FORWARD 6 -s 191.128.1.200 -o eth0 -j DROP
echo "*" >>/tmp/000firewall-start

You may only want to restrict unsolicited outbound traffic from the cameras via the WAN whilst still retaining the ability to view the cameras (inbound) via the OpenVPN servers?

iptables -I FORWARD -s xxx.xxx.xxx.xxx -i br0 ! -o tun2+ -j DROP

or if the cameras are in a contiguous I/P range

iptables -I FORWARD -m iprange --src-range xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx -i br0 ! -o tun2+ -j DROP

I posted a script that allows you to specify the I/P addresses in a config file and allows you to quickly add/delete the blocking or check on the status of the rules etc.

./IPCamsBlock.sh status

(IPCamsBlock.sh): 28121 v1.01 I/P Cameras Firewall blocking.... status
num   pkts bytes target     prot opt in     out     source               destination      
1      884 67184 ACCEPT     udp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            udp dpt:123
2      546 32760 DROP       all  --  br0    !tun2+  10.88.8.120          0.0.0.0/0        
3        0     0 DROP       all  --  br0    !tun2+  10.88.8.121          0.0.0.0/0        
4        0     0 DROP       all  --  br0    !tun2+  10.88.8.122          0.0.0.0/0        
5     7561 1961K DROP       all  --  br0    !tun2+  10.88.8.123          0.0.0.0/0        
6        0     0 DROP       all  --  br0    !tun2+  10.88.8.124          0.0.0.0/0        
7     1177 71221 DROP       all  --  br0    !tun2+  10.88.8.125          0.0.0.0/0        
(IPCamsBlock.sh): 28121 I/P Cameras Firewall blocking status request completed.

https://www.snbforums.com/threads/h...outbound-connections.38086/page-2#post-314785

 

[Pedsteruk]

Those seem to be public, not private IP addresses, you better double check them.

Thanks for looking. My LAN IPs are correct in the script, just changed it slightly in the forum post.