How to block ip camera from accessing the internet

[xtropodx]

When you use the GUI to 'Block Internet Access' for a device either via the Network Map - Client Status panel
e.g.
View attachment 13415
or via the Parental Controls tab, it does (using the MAC address) exactly that.

i.e. it creates the following firewall rule - blocking ALL 'out' interfaces.

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     1701  102K DROP       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            MAC XX:XX:XX:XX:XX:XX

However, to allow direct remote Camera viewing via either of the two VPN Servers (without a jump-server on the LAN), then you will need to 'complicate' things by using a script to modify the restrictive Camera blocking rule(s)
i.e. the GUI created rule should be modified to still block direct WAN access but allow access via either of the two VPN servers:

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     1701  102K DROP       all  --  br0    !tun2+  0.0.0.0/0            0.0.0.0/0            MAC XX:XX:XX:XX:XX:XX

see IPCamsBlock.sh

I've re-read this, the thread, & the many links several times, but still trying to figure out how to get this to work, or even where to start ? .

What do I need for this, as I feel I'm still missing something? I have:
-putty.
-skynet.
-have managed to access my router via putty & get skynet working.
-what else do I need, if anything?

All I want to do is be able to block my IP cameras, switch & whatever else from accessing the internet but still be able to access these via VPNServer. I can already do the latter.

Thanks!!

 

[Martineau]

I couldn't see anywhere where it has UPnP, but then some setting had 239.255.255.250 loaded (don't remember which), which from googling seems linked to plug n play . I've since disabled it

I have always immediately disabled UPnP when setting up my router, and I have personally never found the lack of UPnP being an issue.

Given the number of suspected horror stories, there is plenty to argue the case for the router firmware to have it DISABLED by default (Why/Howto disable UPnP on ASUS and TP-Link,Linksys and D-Link routers)

So now that you have disabled UPnP on the router, even without an explicit iptables WAN blocking rule, presumably your switch is no longer exposed to the WAN?

 

[Martineau]

I've re-read this, the thread, & the many links several times, but still trying to figure out how to get this to work, or even where to start ? .

What do I need for this, as I feel I'm still missing something? I have:
-putty.

Did you read/follow: Mini WinSCP tutorial for IPCamsBlock ?

NOTE: If using Windows, there are better (free) SSH-capable alternatives to PuTTY - Xshell5 (my personal favourite to compliment WinSCP) MobaXterm etc.

 

[xtropodx]

Thanks! I think hardest part of doing this, is the info for this is all over the place.

So got it working after reading that several times over. Installed yet another piece of software .

For some reason following didn't work & only the first IP would get blocked;

CAMERAS 123.456.789.123, 123.456.789.456, 123.456.789.789

But this did;

CAMERAS 123.456.789.123
CAMERAS 123.456.789.456
CAMERAS 123.456.789.789

Is there perhaps a parsing issue with the script?

I can still access the network switch via VPNServer though, how to I completely stop this from being possible, while allow other stuff to go through, if that's even possible?


EDIT:

So, once the script is working , the camera blocking will be lost if the router is rebooted.

So how you do ensure it does work if the router is rebooted for whatever reason?

 

[Martineau]

For some reason following didn't work & only the first IP would get blocked;

CAMERAS 123.456.789.123, 123.456.789.456, 123.456.789.789

But this did;

CAMERAS 123.456.789.123
CAMERAS 123.456.789.456
CAMERAS 123.456.789.789

Is there perhaps a parsing issue with the script?

Spoiler: IPCamsBlock script help

./IPCamsBlock.sh -h

#======================================================================================== © 2016-2018 Martineau, v1.07
#
# Block unsolicited outbound traffic from the I/P cameras, except for NTP and optional WAN NVR, but still allow viewing via the VPN Servers (and/or WAN Port forwards)
# (Default is via secure VPN servers only viewing)
#
#          IPCamsBlock     [help|-h] | [init [blockntp] [logdrop] [logntp]] | [status] | [del] | [ntplogscan] [ wanip='ip_address' [ usewanip ] ] [mac]
#
#          IPCamsBlock     init
#                          Create the blocking rules (usually called from /jffs/scripts/firewall-start)
#                          (Assumes /jffs/configs/IPGroups exists with valid 'CAMERAS' entry - Uppercase text!)
#                                    e.g. CAMERAS  10.88.8.10,10.88.8.15-10.88.8.20,10.88.8.50:10.88.8.55

<snip>

Short answer - Remove the spaces between the IP addresses/IP ranges in your CAMERA list

Spoiler: Long Answer

The example in the help shows the IP addresses in the common Comma Separated Values (CSV) format
and the code lines 279-287 read

# Check for group names, and expand as necessary
#   e.g. '192.168.1.30,192.168.1.50-192.168.1.54' -> '192.168.1.30 192.168.1.50 192.168.1.51 192.168.1.52 192.168.1.53 192.168.1.54'
if [ -f "/jffs/configs/IPGroups" ];then         # '/jffs/configs/IPGroups' two columns
                                                # ID xxx.xxx.xxx.xxx[[,xxx.xxx.xxx.xxx][-xxx.xxx.xxx.xxx]
    CAMERAS=`grep -iwE "^CAMERAS" /jffs/configs/IPGroups | awk '{print $2}'`
else
    #CAMERAS="10.88.8.120,10.88.8.122-10.88.8.123,10.88.8.124:10.88.8.125"      # Silly example to illustrate how mutiple ranges can be specified!
    CAMERAS=
fi

So only the 2nd column is used as data by the script. This allows a comment to be appended
e.g.

CAMERAS     PATIO,LOUNGE,192.168.1.99       VPN only cameras
PATIO       192.168.1.22-192.168.1.30       Patio Static Infrared
LOUNGE      192.168.1.50,192.168.1.55       Lounge PVR

NOTE: However, as it was lazy coding on my part , if I ever get around to releasing v1.07 then I'll include a fix to allow a 'relaxed' .csv file format.

So how you do ensure it does work if the router is rebooted for whatever reason?

Create script

/jffs/scripts/nat-start​

see Wiki/documentation for Asuswrt-merlin section Usage/1. User scripts
e.g.

#!/bin/sh

logger -st "($(basename $0))" $$ "IP Camera Blocking ('IPCamsBlock') requested....."
/jffs/scripts/IPCamsBlock.sh init

I can still access the network switch via VPNServer though, how to I completely stop this from being possible, while allow other stuff to go through, if that's even possible?

By default if you connect inbound to your OpenVPN server, then the VPN Clients' access rights are exactly the same as if you were 'sitting' on the LAN so you have unrestricted access to LAN resources.

If this is an issue (because your remote OpenVPN users should only be accessing say your shared video library etc.) then you will need to add a firewall rule to stop any connected VPN clients from accessing the off-limits LAN resource(s).
e.g.

iptables -I OVPN -i tun2+ -o br0 -d xxx.xxx.xxx.xxx -j logdrop

This should preferably be done in one of the associated openvpn-event scripts such as /jffs/scripts/vpnserver1-route-up, but you can cheat and include the rule(s) in nat-start.

 

[dazedv3]

EDIT: After further investigation it would seem that its the NTP scripts/setup that isnt working. I got it to work but after resetting the router it did no "auto run" so NTP server couldnt be reached. Why would the router not be running the script after reboot. Do I need a services-start script too?

Hi, I have what I hope to be a quick question. @Martineau I have installed/enabled your IPCamBlock script and I believe it is working, I am currently testing it using PC IP addresses rather than cameras.

I also followed this guide https://github.com/RMerl/asuswrt-merlin/wiki/Setting-up-an-NTP-Server-for-your-local-lan so that I can use my router as the NTP server for my NVR when I'm all setup however during testing I notice (in windows) that when I blocked the PCs IP address using the IPCamBlock script I could not synchronize with the router for NTP, I would receive an error. Keeping in mind this is in Windows during testing purposes.

Is this something that should happen?

 

[xtropodx]

Do I need a services-start script too?

Pretty sure you need;
-Administration->Enable JFFS custom scripts and configs->Yes.

For any scripts to work, particularly with a reboot. I didn't have this on & it caused no end of issues.

 

[dazedv3]

Pretty sure you need;
-Administration->Enable JFFS custom scripts and configs->Yes.

For any scripts to work, particularly with a reboot. I didn't have this on & it caused no end of issues.

Yeah I have custom scripts enabled, I have an IP blocking script which works its the NTP I'm having problems with. I submitted a post to the original thread here https://www.snbforums.com/threads/c...ntp-time-source-for-my-lan.38370/#post-427820 but haven't got a reply yet.

 

[58chev]

Hoping someone can assist me.

ASUS RT-AC66U_B1 AsusWRT-Merlin 384.6_0
UPnP turned off on router, cams and NVR
running Skynet (Just started playing with it)
internal NTP Server for IPCAMS

I want to stop the IPCams from possibly "calling home" BUT still need them to send out email alerts.

I have been testing with just one cam using IPTABLES in /jffs/scripts/firewall-start
The following setting iptables -I FORWARD 2 -s 192.168.254.2 -o eth0 -j DROP does what it should, stop the cam from going out but also stops it from sending me email alerts.

With the IPTABLES line in firewall-start, I can VPN in and access my cam. Thus able to test the email setting.


I have the following line that I have been trying to modify but no luck at all.

Firewall $ACTION FORWARD $FWRULENO -s 192.168.254.2 -d smtp.gmail.com -o $(nvram get wan0_ifname) -p tcp -m tcp --dport 587 -j ACCEPT

 

[Martineau]

I have the following line that I have been trying to modify but no luck at all.

Firewall $ACTION FORWARD $FWRULENO -s 192.168.254.2 -d smtp.gmail.com -o $(nvram get wan0_ifname) -p tcp -m tcp --dport 587 -j ACCEPT

I would simply allow both TCP/UDP to smtp.gmail.com (either on port 587 or the alternate legacy port etc.) and let the GMail server decide if the requested protocol/port is valid.

So if using my IPCamsBlock.sh script add a line

Firewall $ACTION  FORWARD $FWRULENO -i br0 -s 192.168.254.2 -d smtp.gmail.com -o $(nvram get wan0_ifname) -j ACCEPT

or

iptables -I FORWARD 2 -i br0 -s 192.168.254.2 -d smtp.gmail.com -o $(nvram get wan0_ifname) -j ACCEPT

 

[58chev]

or

iptables -I FORWARD 2 -i br0 -s 192.168.254.2 -d smtp.gmail.com -o $(nvram get wan0_
ifname) -j ACCEPT

I added this to firewall-start and it still does not allow my camera to send email alerts.

I am not using IPCamsBlock.sh because even after printing it out and reading it over, it is way above my comprehension of scripting.

 

[Martineau]

I am not using IPCamsBlock.sh because even after printing it out and reading it over, it is way above my comprehension of scripting.

IPCamsBlock.sh should run as-is without needing any modification, and there is a mini-tutorial to assist in configuring the config file to define the IP CAMs to be restricted by the script.

I added this to firewall-start and it still does not allow my camera to send email alerts.

You will need to list the firewall FORWARD chain rules to assist in problem analysis...

iptables  --line -t filter -nvL FORWARD

 

[58chev]

IPCamsBlock.sh should run as-is without needing any modification, and there is a mini-tutorial to assist in configuring the config file to define the IP CAMs to be restricted by the script.

Where do I find the mini-tutorial?

I will give your IPCamsBlock.sh a try.
Need some hand holding
What line would I paste in your Code above?
Code:
Firewall $ACTION FORWARD $FWRULENO -i br0 -s 192.168.254.2 -d smtp.gmail.com -o $(nvram get wan0_ifname) -j ACCEPT

How do I run it?

I have copied it to my jffs/scripts folder.

Safe to change the IP address to correspond to my cameras IP scheme?



EDIT::
Sep 11 16:09:22 Skynet: [Complete] 115763 IPs / 1438 Ranges Banned. 0 New IPs / 0 New Ranges Banned. 0 Inbound / 0 Outbound Connections Blocked! [start] [22s]
Sep 11 16:09:22 (IPCamsBlock.sh): 31281 v1.06 I/P Cameras Firewall blocking.... init
Sep 11 16:09:23 (IPCamsBlock.sh): 31281 I/P Cameras Firewall blocking request completed.

Looks like I did something right.
Still need to know what line to insert your email code?

 

[Martineau]

Where do I find the mini-tutorial?

Link to Mini tutorial

I will give your IPCamsBlock.sh a try.
Need some hand holding

I have copied it to my jffs/scripts folder

I have updated the script to allow an appropriate SMTP rule(s) to be generated

So please download v1.08 IPCamsBlock.sh

What line would I paste in your Code above?

You don't …. see below​

Safe to change the IP address to correspond to my cameras IP scheme?

You don't edit the script, you simply create the text file '/jffs/configs/IPGroups' to define your IP Cameras.

How do I run it?

To see the help issue:

cd /jffs/scripts

./IPCamsBlock.sh   -h

then to run it issue:

./IPCamsBlock.sh   init

IPCamsBlock.v1.08 now allows you to specify how the email rules are to be generated for the group.

i.e. Once you have successfully installed IPCamsBlock.sh, and you have let it run for a while say 10 mins and checked the status, you can then try and specify that emails are to be allowed by running:

./IPCamsBlock.sh   init   mail=smtp.gmail.com

or to only allow port 587

./IPCamsBlock.sh   init   mail=smtp.gmail.com:587

./IPCamsBlock.sh   status

(IPCamsBlock.sh): 19505 v1.08 I/P Cameras Firewall blocking.... status
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
8      470 56263 MyIPCAMs   all  --  br0    *       0.0.0.0/0            0.0.0.0/0
           
Chain MyIPCAMs (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     udp  --  br0    eth0    0.0.0.0/0            173.194.76.108       udp dpt:587 /* smtp.gmail.com */
2        0     0 ACCEPT     udp  --  br0    eth0    0.0.0.0/0            173.194.76.109       udp dpt:587 /* smtp.gmail.com */
3        0     0 ACCEPT     tcp  --  br0    eth0    0.0.0.0/0            173.194.76.109       tcp dpt:587 /* smtp.gmail.com */
4        0     0 ACCEPT     tcp  --  br0    eth0    0.0.0.0/0            173.194.76.108       tcp dpt:587 /* smtp.gmail.com */
5       42  3192 ACCEPT     udp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            udp dpt:123
6       36  2160 DROP       all  --  br0    !tun2+  10.88.8.120          0.0.0.0/0           
7        0     0 DROP       all  --  br0    !tun2+  10.88.8.121          0.0.0.0/0           
8        0     0 DROP       all  --  br0    !tun2+  10.88.8.122          0.0.0.0/0           
9       60  3600 DROP       all  --  br0    !tun2+  10.88.8.123          0.0.0.0/0           
10      96  5760 DROP       all  --  br0    !tun2+  10.88.8.125          0.0.0.0/0

​

 

[58chev]

Something don't look right

techhead@NAS:/jffs/scripts#
sh /jffs/scripts/IPCamsBlock.sh init mail=smtp.gmail.com:587
: not foundts/IPCamsBlock.sh: line 45:
: not foundts/IPCamsBlock.sh: line 48:
: No such file or directoryock.sh
: not foundts/IPCamsBlock.sh: line 53: }
: not foundts/IPCamsBlock.sh: line 55:
: not foundts/IPCamsBlock.sh: line 60:
: not foundts/IPCamsBlock.sh: line 61: }
: not foundts/IPCamsBlock.sh: line 67:
/jffs/scripts/IPCamsBlock.sh: local: line 68: not in a function
: not foundts/IPCamsBlock.sh: line 69:
/jffs/scripts/IPCamsBlock.sh: shift: line 72: Illegal number: 2
techhead@NAS:/jffs/scripts#

 

[octopus]

Run this from SSH and try again.
dos2unix /jffs/scripts/IPCamsBlock.sh

 

[58chev]

Run this from SSH and try again.
dos2unix /jffs/scripts/IPCamsBlock.sh

ThanX That worked

 

[octopus]

ThanX That worked

okey nice

 

[58chev]

Tested after letting it sit for a while and my camera gave me a fail, on sending a test email.

techhead@NAS:/# sh /jffs/scripts/IPCamsBlock.sh status

(IPCamsBlock.sh): 5728 v1.08 I/P Cameras Firewall blocking.... status

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
5       27  3845 MyIPCAMs   all  --  br0    *       0.0.0.0/0            0.0.0.0/0  

Chain MyIPCAMs (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  br0    eth0    0.0.0.0/0            108.177.112.108      /* smtp.gmail.com */
2        0     0 ACCEPT     all  --  br0    eth0    0.0.0.0/0            108.177.112.109      /* smtp.gmail.com */
3        0     0 ACCEPT     udp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            udp dpt:123
4       14   840 DROP       all  --  br0    !tun2+  192.168.254.2        0.0.0.0/0  
5        0     0 DROP       all  --  br0    !tun2+  192.168.254.7        0.0.0.0/0  
6        0     0 DROP       all  --  br0    !tun2+  192.168.254.8        0.0.0.0/0  
7        0     0 DROP       all  --  br0    !tun2+  192.168.254.9        0.0.0.0/0

techhead@NAS:/# sh /jffs/scripts/IPCamsBlock.sh status

(IPCamsBlock.sh): 6669 v1.08 I/P Cameras Firewall blocking.... status

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination 
5      193 20676 MyIPCAMs   all  --  br0    *       0.0.0.0/0            0.0.0.0/0   

Chain MyIPCAMs (1 references)
num   pkts bytes target     prot opt in     out     source               destination 
1        0     0 ACCEPT     udp  --  br0    eth0    0.0.0.0/0            108.177.112.109      udp dpt:587 /* smtp.gmail.com */
2        0     0 ACCEPT     udp  --  br0    eth0    0.0.0.0/0            108.177.112.108      udp dpt:587 /* smtp.gmail.com */
3        0     0 ACCEPT     tcp  --  br0    eth0    0.0.0.0/0            108.177.112.108      tcp dpt:587 /* smtp.gmail.com */
4        0     0 ACCEPT     tcp  --  br0    eth0    0.0.0.0/0            108.177.112.109      tcp dpt:587 /* smtp.gmail.com */
5        0     0 ACCEPT     udp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            udp dpt:123
6       16   960 DROP       all  --  br0    !tun2+  192.168.254.2        0.0.0.0/0   
7        0     0 DROP       all  --  br0    !tun2+  192.168.254.7        0.0.0.0/0   
8        0     0 DROP       all  --  br0    !tun2+  192.168.254.8        0.0.0.0/0   
9        0     0 DROP       all  --  br0    !tun2+  192.168.254.9        0.0.0.0/0   

(IPCamsBlock.sh): 6669 I/P Cameras Firewall blocking status request completed.

 

[Martineau]

Tested after letting it sit for a while and my camera gave me a fail, on sending a test email.

techhead@NAS:/# sh /jffs/scripts/IPCamsBlock.sh status

(IPCamsBlock.sh): 6669 v1.08 I/P Cameras Firewall blocking.... status

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
5      193 20676 MyIPCAMs   all  --  br0    *       0.0.0.0/0            0.0.0.0/0

Chain MyIPCAMs (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     udp  --  br0    eth0    0.0.0.0/0            108.177.112.109      udp dpt:587 /* smtp.gmail.com */
2        0     0 ACCEPT     udp  --  br0    eth0    0.0.0.0/0            108.177.112.108      udp dpt:587 /* smtp.gmail.com */
3        0     0 ACCEPT     tcp  --  br0    eth0    0.0.0.0/0            108.177.112.108      tcp dpt:587 /* smtp.gmail.com */
4        0     0 ACCEPT     tcp  --  br0    eth0    0.0.0.0/0            108.177.112.109      tcp dpt:587 /* smtp.gmail.com */
5        0     0 ACCEPT     udp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            udp dpt:123
6       16   960 DROP       all  --  br0    !tun2+  192.168.254.2        0.0.0.0/0

(IPCamsBlock.sh): 6669 I/P Cameras Firewall blocking status request completed.

Issue:

./IPCamsBlock.sh   init   mail=smtp.gmail.com:587   logdrop

then wait for the IP camera 192.168.254.2 to try and send an email, then post the output of the following commands:

./IPCamsBlock.sh   status

grep 192.168.254.2 /tmp/syslog.log   | sed 's/SEQ=.*$//;s/LEN=.*DF//'