How to block ip camera from accessing the internet

[Pedsteruk]

You may only want to restrict unsolicited outbound traffic from the cameras via the WAN whilst still retaining the ability to view the cameras (inbound) via the OpenVPN servers?

iptables -I FORWARD -s xxx.xxx.xxx.xxx -i br0 ! -o tun2+ -j DROP

Yes this is exactly what I'm after thank you. Assume I need to still add the rule sequence number after "forward" for multiple entries?

Can you explain what those switches are doing vs the original?

Does this allow the time update traffic or do I need to add that explicitly in addition? If so is the original syntax correct?

Nice one.

 

[Martineau]

Assume I need to still add the rule sequence number after "forward" for multiple entries?

No, "-I" will always insert the rule as the first, but beware the order is reversed i.e. the last insert will be the first rule in the chain so if you want a DROP/ACCEPT pair, you must insert the DROP rule first.

NOTE: Explicitly specifying the insert position (sequence) can give you more control.

Can you explain what those switches are doing vs the original?

RTFM
http://rpm.pbone.net/index.php3/stat/45/idpl/18507480/numer/8/nazwa/iptables

but the Asus uses an old 1.4.14 version of iptables so do not expect all of the features in the current Linux v1.4.21/v1.6.1 manual to be available on the router (or all of the documented full v1.4.14 Linux features either!)

P.S. My command syntax simply states:

"Any traffic from LAN (bro input interface) device xxx.xxx.xxx.xxx that is NOT (!) destined for ANY VPN server (tun2+ output interface) is DROP'd"

Does this allow the time update traffic or do I need to add that explicitly in addition?

Rather than insert an explicit NTP rule for each camera, I simply add a single ACCEPT rule at the top of the chain for any LAN (br0) device i.e. physically the last rule executed:

iptables -I FORWARD -i br0 -o $(nvram get wan0_ifname) -p udp -m udp --dport 123 -j ACCEPT

NOTE: $(nvram get wan0_ifname) simply extracts the physical name of the WAN device from NVRAM, as some configurations may not necessarily be using 'eth0' i.e. ppp0/vlan2 etc.

 

[Pedsteruk]

Great that syntax makes sense. Last question and something I should have been clear on in my original post.

Does this rule still allow LAN to LAN traffic?

I want the cameras to be able to talk to my NAS surveillance station and for mobile clients on the LAN to be able to connect to the cams directly.

The way you describe your rule is it will drop everything on the LAN not destined for the VPN.

 

[Martineau]

I want the cameras to be able to talk to my NAS surveillance station and for mobile clients on the LAN to be able to connect to the cams directly.

The way you describe your rule is it will drop everything on the LAN not destined for the VPN.

Does this rule still allow LAN to LAN traffic?

Devices on the LAN subnet i.e. devices attached to br0 (issue brctl show to see the interfaces) communicate via the bridge or switch, so the iptables firewall rules are only applied between exposed interfaces e.g. br0 <--> eth0/tun2+/vlans etc.

To block say a camera from accessing a LAN resource say a 'media streaming' ONLY NAS then you will need to look at ebtables rules, but by default they allow unrestricted traffic.

 

[Pedsteruk]

Awesome. Will give that a go later and update outcome.

Update - Interfaces available are vlan1, eth1, eth2, w10,1.

Rules are working thank you. Can access the Cams when on LAN or VPN but otherwise blocked.

Only thing that not quite as I would like is when on VPN the cams are not visible in their native app (Wansview) only using direct IP or ONVIF apps. It works when on the LAN and they are searchable but not when via VPN. I suspect this is because the VPN operates on a separate subnet and the way the Wansview app look for them.

Are you able to offer any advice on the VPN settings or routing rules I could tweak to allow this to work?

 

[relayer35]

This is great information. This thread is really helpful. This is exactly what I want to do, disable internet access for my IP Cameras, but be able to access them through the VPN.

I have a couple questions. First, I'm unclear how to set up the script on my router. Is there a FAQ somewhere for setting up firewall scripts?

Also, I need uPNP on my router for other reasons (it is disabled in the camera config page, but I'm not sure how much I believe that). It was mentioned an additional line would be needed if uPNP was enabled on the router. What line would that be?

Thanks

 

[Martineau]

Is there a FAQ somewhere for setting up firewall scripts?

https://github.com/RMerl/asuswrt-merlin/wiki

and I posted this for a quick tutorial using WinSCP to get the IPCamsBlock.sh script running on the router:
https://www.snbforums.com/threads/h...outbound-connections.38086/page-3#post-314828

Also, I need uPNP on my router for other reasons (it is disabled in the camera config page, but I'm not sure how much I believe that). It was mentioned an additional line would be needed if uPNP was enabled on the router. What line would that be?

You can completely disable UPnP on the 'WAN->Internet Connection' tab, I think it is usually ENABLED by default, so if it is still currently enabled, not sure what your intention is?

 

[relayer35]

https://github.com/RMerl/asuswrt-merlin/wiki

and I posted this for a quick tutorial using WinSCP to get the IPCamsBlock.sh script running on the router:
https://www.snbforums.com/threads/h...outbound-connections.38086/page-3#post-314828



You can completely disable UPnP on the 'WAN->Internet Connection' tab, I think it is usually ENABLED by default, so if it is still currently enabled, not sure what your intention is?

Thank you. I will try when I get home.

The uPNP comment was in regards to this line that was posted earlier in the thread: You may also want to disable UPNP unless you really really need it for something. If you do, then you'll need to add another explicit block for the inbound to that device in the event it sets up a forward with upnp."

I need uPNP enabled for something else, so I was wondering about the "explicit block for the inbound".

Thanks.

 

[relayer35]

Thank you. I will try when I get home.

The uPNP comment was in regards to this line that was posted earlier in the thread: You may also want to disable UPNP unless you really really need it for something. If you do, then you'll need to add another explicit block for the inbound to that device in the event it sets up a forward with upnp."

I need uPNP enabled for something else, so I was wondering about the "explicit block for the inbound".

Thanks.

Martineau - just want to say thank you for your help. Got it all set up and it all appears to be working. Thank you so much!

 

[Martineau]

Martineau - just want to say thank you for your help. Got it all set up and it all appears to be working. Thank you so much!

With regard to your previous query about a potential UPnP security breach..... unless your apps absolutely must use UPnP, my advice is to DISABLE UPnP on the router, and explicitly configure their port forwarding requirements manually ..but then again I'm not a gamer and I be no Buccaneer!- Arrr!

If configuring iptables manually, then for each camera, you will need to manually add an inbound blocking (DROP/logdrop) rule something like this

iptables -I FORWARD -d xxx.xxx.xxx.xxx -i $(nvram get wan0_ifname) -m state --state NEW -j DROP

However. if using my script, it blocks ALL outbound camera traffic via ANY interface (except the VPN servers) so I hope that even if UPnP did surreptitiously configure an inbound port forward connection to the cameras, there would be no reply outbound - at least NOT from the cameras anyway!

But security should never be left to chance, so you could modify my IPCamsBlock.sh script @LINE 184:

Firewall $ACTION FORWARD $FWRULENO -s $CAMERA -i br0 ! -o tun2+ -j $JUMP

change to

Firewall $ACTION FORWARD $FWRULENO -s $CAMERA -i br0 ! -o tun2+ -j $JUMP
   
# v01.02 The following rule is belt'n'braces to explicity ensure UPnP (if still ENABLED on router) can't start a new inbound connection
if [ "$(nvram get wan_upnp_enable)" == "1" ];then
   Firewall $ACTION FORWARD $FWRULENO -d $CAMERA -i $(nvram get wan0_ifname) -m state --state NEW -j $JUMP
fi

 

[relayer35]

With regard to your previous query about a potential UPnP security breach..... unless your apps absolutely must use UPnP, my advice is to DISABLE UPnP on the router, and explicitly configure their port forwarding requirements manually ..but then again I'm not a gamer and I be no Buccaneer!- Arrr!

If configuring iptables manually, then for each camera, you will need to manually add an inbound blocking (DROP/logdrop) rule something like this

iptables -I FORWARD -d xxx.xxx.xxx.xxx -i $(nvram get wan0_ifname) -m state --state NEW -j DROP

However. if using my script, it blocks ALL outbound camera traffic via ANY interface (except the VPN servers) so I hope that even if UPnP did surreptitiously configure an inbound port forward connection to the cameras, there would be no reply outbound - at least NOT from the cameras anyway!

But security should never be left to chance, so you could modify my IPCamsBlock.sh script @LINE 184:

Firewall $ACTION FORWARD $FWRULENO -s $CAMERA -i br0 ! -o tun2+ -j $JUMP

change to

Firewall $ACTION FORWARD $FWRULENO -s $CAMERA -i br0 ! -o tun2+ -j $JUMP
 
# v01.02 The following rule is belt'n'braces to explicity ensure UPnP (if still ENABLED on router) can't start a new inbound connection
if [ "$(nvram get wan_upnp_enable)" == "1" ];then
   Firewall $ACTION FORWARD $FWRULENO -d $CAMERA -i $(nvram get wan0_ifname) -m state --state NEW -j $JUMP
fi

Thanks you for this. I wound up disabling uPnP in the router for now, but I will keep this information in mind in case I need to re-enable it.

 

[Veky]

If you really need UPnP, you can enable it only for specific hosts.

Bottom of the config file -> https://github.com/miniupnp/miniupnp/blob/master/miniupnpd/miniupnpd.conf

 

[ispgeek]

Two things.....the concern for totally blocking the device from WAN access and NTP is unfounded....you can run your own NTP server onnet and point the camera to the device running the NTP server. Second if you have intelligent switches you could build a small VLAN and place all your cameras and NVR or PC running Blueiris or similiar on said VLAN and then have one or more PCs running in permiscuous mode which would allow it to cross over all VLANS including this one to manage your camera system. You can then still have inbound rules that allow you to access your camera system when offsite via one port only. This makes for a highly secure camera setup and totally fixes your other issue. I have 16 IP cameras with equally annoying issues which this solved. The catch is you must either have smart switches or a router with VLAN support....the Asus router does not support such which means you are totally reliant on smart switches which you should be using on any small network anyway purely because the extra 20 bucks on initial purchase cost is worth very cent in overall management of your network.

 

[xtropodx]

You boys are over complicating this a bit aren't you?

For any client you don't want internet access for...

Click on network map on the left under general
Click on the Client icon on the right for the specific client
Click on block internet access
Click Apply

Or

Setup the camera with a static ip address and leave the default gateway blank - make sure you create reservations for these or change the dhcp scope so it does not overlap

Setup your cameras to point to an internal ntp server

Can't believe I've just discovered something new with my router .......

Is there any drawbacks with the above method ? ie should I be able to access these devices via VPN Server if said devices are blocked this way?

 

[bbunge]

Can't believe I've just discovered something new with my router .......

Is there any drawbacks with the above method ? ie should I be able to access these devices via VPN Server if said devices are blocked this way?

Using Asus Parental Control to block internet access works very well. On a remote LAN I manage there is one PC that is used by volunteers to monitor the security camera system. Too many folks were spending their days surfing with the PC so I blocked access to the internet with Parental Controls. The PC has VNC installed so I can remote into the LAN via OpenVPN, connect to the desktop with VNC to do maintenance. Yes I have to disable the Parental Controls to get updates but I do that after hours when the place is closed.

 

[xtropodx]

Well something isn't right. I can't connect to my IP cameras doing this. I can connect to them via wifi, but soon as I setup parental controls I can't access them via web/vpnServer, what am I missing?

 

[Martineau]

Well something isn't right. I can't connect to my IP cameras doing this. I can connect to them via wifi, but soon as I setup parental controls I can't access them via web/vpnServer, what am I missing?

When you use the GUI to 'Block Internet Access' for a device either via the Network Map - Client Status panel
e.g.

or via the Parental Controls tab, it does (using the MAC address) exactly that.

i.e. it creates the following firewall rule - blocking ALL 'out' interfaces.

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     1701  102K DROP       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            MAC XX:XX:XX:XX:XX:XX

However, to allow direct remote Camera viewing via either of the two VPN Servers (without a jump-server on the LAN), then you will need to 'complicate' things by using a script to modify the restrictive Camera blocking rule(s)
i.e. the GUI created rule should be modified to still block direct WAN access but allow access via either of the two VPN servers:

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     1701  102K DROP       all  --  br0    !tun2+  0.0.0.0/0            0.0.0.0/0            MAC XX:XX:XX:XX:XX:XX

see IPCamsBlock.sh

 

[xtropodx]

Thanks.
Would this be the same for a network switch then? I've just discovered that I can access the switch remotely with admin credentials (the device doesn't have a way to turn this off), when I can't even do that with the router as the router allows me to disable WAN access. Should this be a concern?

 

[Martineau]

Would this be the same for a network switch then? I've just discovered that I can access the switch remotely with admin credentials (the device doesn't have a way to turn this off), when I can't even do that with the router as the router allows me to disable WAN access.

Should this be a concern?

YES!

I would definitely be concerned that you are apparently able to logon to your switch's Web interface or CLI directly from the web with full admin credentials without explicitly exposing the switch thru' the firewall.

I suggest you immediately identify why your firewall configuration may be incorrect or poorly configured (UPnP enabled etc.) but yes, you could apply the same IPCam iptables blocking rule for the switch.

P.S. I hope you have now changed the admin password for the switch.
P.P.S Can you disclose the vendor of the switch?

 

[xtropodx]

It's a TP-link switch, it doesn't have any login control/restriction options other than changing username & password which I'd done already.
I couldn't see anywhere where it has UPnP, but then some setting had 239.255.255.250 loaded (don't remember which), which from googling seems linked to plug n play . I've since disabled it.

My router firewall configurations are stock merlin standard. I'm now running skynet, someone needs to make all this stuff bit more user-friendly. I'm just a home user that cares about home security & some of this is over my head .