Iptables block access for IP Cameras with exceptions

[NomisGnos]

Hello long time lurker first time poster. Community here is awesome!

I have an ASUS 3100 wireless router and about 4 IP Cameras. On my old router it was easy to block outgoing traffic so that I can make sure the cameras weren't "calling home". I want to do the same thing with this router so I decided first I use the port forwarding tool and then I started looking up IPTABLES.

My goal:

1. By default block outgoing and incoming traffic for 192.168.1.0/29
2. Exception: I want to open 120:130 BUT for only a handful of trusted IPs (work or a friends house). Lets say those IPs are 150.150.150.150 and 250.250.250.0/24 (I use a browser to access these ports, not that probably matters anyways) so if I wanted to access CAMERA #2 it would be DDNS.dns.com:121
3. Exception: The cameras send out emails via SMTPS (port 465) so I want to open that up so that it can send out the emails.
4. Don't want to block INPUTS/OUTPUTS since I have some IoT stuff that communicate somewhere else , so I don't want to change default policy to block that. Unless I am misunderstanding how that works.

I flashed the router with the latest Asuswrt-Merlin and turned on JFFS custom scripts. I created a file under

/jffs/scripts/

called

firewall-start

. I edited the file starting with shebang and added some rules (will get back to this later). I used

service restart_firewall

. The problem I am getting into is that I am not getting the appropriate results and it is very possible that I am writing the rules wrong and/or maybe the order.

I tried iptables forward, I tried iptables INPUT & OUTPUT, and I tried a combination of "INSERT" / "APPEND" and for some odd reason it will either BLOCK everything or leave it OPEN completely. It never follows my ultimate goal. I am sure it has to do with some order or default rules for FORWARD or INPUT or OUTPUT but I just cant figure it out.

I need some experts to help me out. Here is my existing iptable as of right now:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
DROP       all  --  anywhere             anywhere             state INVALID
PTCSRVWAN  all  --  anywhere             anywhere
PTCSRVLAN  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             state NEW
ACCEPT     all  --  anywhere             anywhere             state NEW
OVPN       all  --  anywhere             anywhere             state NEW
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc
INPUT_ICMP  icmp --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
other2wan  all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere             state INVALID
ACCEPT     all  --  anywhere             anywhere
NSFW       all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT
OVPN       all  --  anywhere             anywhere             state NEW
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain ACCESS_RESTRICTION (0 references)
target     prot opt source               destination

Chain FUPNP (0 references)
target     prot opt source               destination

Chain INPUT_ICMP (1 references)
target     prot opt source               destination
RETURN     icmp --  anywhere             anywhere             icmp echo-request
RETURN     icmp --  anywhere             anywhere             icmp timestamp-request
ACCEPT     icmp --  anywhere             anywhere

Chain NSFW (1 references)
target     prot opt source               destination

Chain OVPN (2 references)
target     prot opt source               destination

Chain PControls (0 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain PTCSRVLAN (1 references)
target     prot opt source               destination

Chain PTCSRVWAN (1 references)
target     prot opt source               destination

Chain SECURITY (0 references)
target     prot opt source               destination
RETURN     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
DROP       tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/SYN
RETURN     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
DROP       tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/RST
RETURN     icmp --  anywhere             anywhere             icmp echo-request limit: avg 1/sec burst 5
DROP       icmp --  anywhere             anywhere             icmp echo-request
RETURN     all  --  anywhere             anywhere

Chain default_block (0 references)
target     prot opt source               destination

Chain logaccept (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "ACCEPT "
ACCEPT     all  --  anywhere             anywhere

Chain logdrop (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "DROP "
DROP       all  --  anywhere             anywhere

Chain other2wan (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Thanks in advance!

 

[NomisGnos]

Can anyone please help?