How to block ip camera from accessing the internet

[jtl0101]

Hello, I have a IP Camera with some shady software on it. Replacing the camera and system is out of the budget right now so I want to prevent the camera from accessing the internet by using router features.

I have the latest asuswrt build (Dec 24 2015 I think) and using the Network Service Filter I put each camera and the NVR ip's as the source IP address's and set destination port range to 80 and for protocol i set a rule for TCP and UDP. But I notice that I can still access the internet from a device using ping (ICMP protocol which there is not a setting for). I'm not expert on hacking via the web, so the fact that a device can reach the web via ping but not www lets me know I probably need to do a lot more to achieve my goal.

How can I use the asuswrt-merlin software to make sure a device with shady software cant be accessed via the WWW, and can't access the WWW? I have the Asus RT-AC66U

 

[Andrea F11]

Hi jtl,
I am in your same situation!
I also used Network Service Filter, but i set ">1" value, in both source and destination field to close all ports.
Unfortunately, it dont work because apparently the camera can reach the web.
The only solution now it's blocking internet access to camera, in "client menu" from main page. But unfortunately in this way, you can reach the camera only by Lan but NOT by VPN.

 

[jtl0101]

Hi jtl,
I am in your same situation!
I also used Network Service Filter, but i set ">1" value, in both source and destination field to close all ports.
Unfortunately, it dont work because apparently the camera can reach the web.
The only solution now it's blocking internet access to camera, in "client menu" from main page. But unfortunately in this way, you can reach the camera only by Lan but NOT by VPN.

Hopefully someone can point us in the right direction. I have done all I can do with the camera softwar. Now that I know the back doors are hard open on their software, I'm only trying to lock the camera out from the internet using router features. I know the quick solution is to put the nvr and camera on their own separate network router with no WAN access, but I'd like to avoid that if possible by learning some software/hardware tricks.

 

[Zirescu]

What happens if you enable the parental options and add the camera in there?

 

[coxhaus]

What if you remove the default gateway? The camera will not be able access the internet without a default gateway.

 

[jtl0101]

What happens if you enable the parental options and add the camera in there?

Thanks Zirescu, that did it for me. Not even ping access anymore.

 

[jtl0101]

What if you remove the default gateway? The camera will not be able access the internet without a default gateway.

Thanks for the tip, I'm not sure how, but my camera auto populates the default gateway. Adding it to parental controls blocked ping UDP/TCP/ICMP

 

[ASAT]

I know the quick solution is to put the nvr and camera on their own separate network router with no WAN access, but I'd like to avoid that if possible by learning some software/hardware tricks.

If you completely block the NVR from accessing the Internet, it won't be able to synchronize its clock via NTP. This means your video streams won't show an accurate timestamp. So you might want to not block UDP port 123.

Most NVR units have an internal network for the cameras that you cannot access directly. However, if you get a root shell on the NVR (via the Console port) then you might be able to login via telnet to the camera. If you are able to get a root shell on the camera itself, you will probably see that the camera cannot access the Internet because the NVR does not allow it. Of course, I could be wrong. What is the camera model? Try Google search for the root or admin password. Or, you might be able to download a firmware update for the camera, unpack it and look for the root password.

 

[jtl0101]

If you completely block the NVR from accessing the Internet, it won't be able to synchronize its clock via NTP. This means your video streams won't show an accurate timestamp. So you might want to not block UDP port 123.

Most NVR units have an internal network for the cameras that you cannot access directly. However, if you get a root shell on the NVR (via the Console port) then you might be able to login via telnet to the camera. If you are able to get a root shell on the camera itself, you will probably see that the camera cannot access the Internet because the NVR does not allow it. Of course, I could be wrong. What is the camera model? Try Google search for the root or admin password. Or, you might be able to download a firmware update for the camera, unpack it and look for the root password.

Thanks for the info. The camera's all have different version info stamped on their boxes, and the system info in the firmware conflicts with what is stamped on the box. They are sold by GW Security/CCTV (money poorly spent). All manufacturing information has been removed from the cameras, there are no firmware updates available for the cameras or the NVR they sell. Device id cloud on each camera is configured to a specific address on seetong.com which might give leads to some info about whos behind the manufacturing of the camera.

I'm no longer doing internal configs on this camera system as it's been a waste of time (one of the cameras switched protocols from ONVIF to HBGK yesterday, recently on system that was setup to record over oldest save I also lost all recordings due to a HDD error....system said it was recording, I tried to view recording and I got an error message, rebooted the system and got a HDD error message, had to format the drive to get access to the drive again, and the list goes on the further I go back in time on a system less than 6 months old). My main goal was to secure the system from WAN access for security reasons and save $$ for another system that I can use with open source software....preferably the whole thing manageable with linux.

 

[Calisro]

If you want to block it, add this to the /jffs/configs/firewall-start

iptables -I FORWARD 1 -s 10.100.1.16 -o eth0 -p udp --dport 123 -j ACCEPT
iptables -I FORWARD 2 -s 10.100.1.16 -o eth0 -j DROP

change the above to the ip of your camera. You may also want to disable UPNP unless you really really need it for something. If you do, then you'll need to add another explicit block for the inbound to that device in the event it sets up a forward with upnp.

 

[Andrea F11]

Thx Calisro.

My cameras was setup with static IP.
I have disabled UPNP both in camera setting and in router.
I would like to block ALL camera outbound traffic on WAN but i wish i could reach the camera on VPN.
I though that this could be done with firewall - Packet Filter, but does not work

If you want to block it, add this to the /jffs/configs/firewall-start

iptables -I FORWARD 1 -s 10.100.1.16 -o eth0 -p udp --dport 123 -j ACCEPT
iptables -I FORWARD 2 -s 10.100.1.16 -o eth0 -j DROP
iptables -I INPUT 1 -p tcp --dport 655 -j ACCEPT

change the above to the ip of your camera. You may also want to disable UPNP unless you really really need it for something. If you do, then you'll need to add another explicit block for the inbound to that device in the event it sets up a forward with upnp.

 

[Calisro]

Thx Calisro.

My cameras was setup with static IP.
I have disabled UPNP both in camera setting and in router.
I would like to block ALL camera outbound traffic on WAN but i wish i could reach the camera on VPN.
I though that this could be done with firewall - Packet Filter, but does not work

The iptables commands above only block outbound traffic from the camera. It should be reachable via the vpn.

 

[Andrea F11]

The 123 port remain open so, right?
I would close all port.

Other question: as for UDP, should i do the same for TCP?

The iptables commands above only block outbound traffic from the camera. It should be reachable via the vpn.

 

[Carlos M.]

Hi, I had same problem with 4 DLINK cameras and same sollution. Parental control for 4 IPs but... just add a trick. You can usa the app "ASUS Router" to switch on/off the Parental control and your cameras will serve you

https://itunes.apple.com/us/app/asus-router/id1033794044?mt=8

 

[Andrea F11]

Carlos, if you set "on" the parental control, you can't reach camera via VPN but only via LAN.

 

[Calisro]

The 123 port remain open so, right?
I would close all port.

Other question: as for UDP, should i do the same for TCP?

I kept 123 open for NTP. I'd bet your camera requires it as stated above. These things usually don't have batteries to store the time so it needs network time. If you really do not want that, then just remove that line.

iptables -I FORWARD 1 -s 10.100.1.16 -o eth0 -p udp --dport 123 -j ACCEPT
iptables -I FORWARD 2 -s 10.100.1.16 -o eth0 -j DROP

All these do is say to block any packets except udp:123 outbound to the internet (across interface eth0). Notice that I am not blocking inbound but as long as you have UPNP OFF and you do not have any explicit port forwards, that is blocked by default.

VPN goes over tun interfaces so is not blocked.

 

[Carlos M.]

Carlos, if you set "on" the parental control, you can't reach camera via VPN but only via LAN.

opps, I just look for block the internet access of my cameras to internet. Just to avoid the image sending by email.

 

[Andrea F11]

sorry if I answer only now.

Calisro I tried to do as you told me it does not work:

-First i have create firewall-start as below:

admin@NetworkDrive:/jffs/configs# cat firewall-start
iptables -I FORWARD 1 -s 192.168.2.101 -o eth0 -j DROP
iptables -I FORWARD 2 -s 192.168.2.102 -o eth0 -j DROP
iptables -I FORWARD 3 -s 192.168.2.103 -o eth0 -j DROP
iptables -I FORWARD 4 -s 192.168.2.104 -o eth0 -j DROP

- Then I enabled "JFFS custom scripts and configs" on router (RT-AC68U with 380.57)
- Finally I rebooted

After restarting the router crashed and I had to turn it off and on again.

When it finally started, I assigned the IP 192.168.2.101 to a PC and the browser reached internet.

what am I doing wrong?

I kept 123 open for NTP. I'd bet your camera requires it as stated above. These things usually don't have batteries to store the time so it needs network time. If you really do not want that, then just remove that line.

iptables -I FORWARD 1 -s 10.100.1.16 -o eth0 -p udp --dport 123 -j ACCEPT
iptables -I FORWARD 2 -s 10.100.1.16 -o eth0 -j DROP

All these do is say to block any packets except udp:123 outbound to the internet (across interface eth0). Notice that I am not blocking inbound but as long as you have UPNP OFF and you do not have any explicit port forwards, that is blocked by default.

VPN goes over tun interfaces so is not blocked.

 

[john9527]

-First i have create firewall-start as below:

admin@NetworkDrive:/jffs/configs# cat firewall-start
iptables -I FORWARD 1 -s 192.168.2.101 -o eth0 -j DROP

firewall-start is a script....it needs the shebang as the first line

#!/bin/sh

EDIT: and it needs to be placed in /jffs/scripts not /jffs/configs

 

[Andrea F11]

thx john

Here the changes i made:

admin@NetworkDrive:/jffs/scripts# cat firewall-start
#!/bin/sh
iptables -I FORWARD 1 -s 192.168.2.101 -o eth0 -j DROP
iptables -I FORWARD 2 -s 192.168.2.102 -o eth0 -j DROP
iptables -I FORWARD 3 -s 192.168.2.103 -o eth0 -j DROP
iptables -I FORWARD 4 -s 192.168.2.104 -o eth0 -j DROP

a question: i have to do this?
chmod a+rx /jffs/scripts/firewall-start

firewall-start is a script....it needs the shebang as the first line

#!/bin/sh

EDIT: and it needs to be placed in /jffs/scripts not /jffs/configs