1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Creating Network Services Filter script -- Can this be done?

Discussion in 'Asuswrt-Merlin' started by JohnD5000, Jan 30, 2020.

  1. JohnD5000

    JohnD5000 Regular Contributor

    Joined:
    Nov 20, 2016
    Messages:
    180
    Not sure where the appropriate forum to ask this is (if there is a better one, please let me know and I'll repost there).

    I have an RT-AC86U, running Merlin 384.15 alpha 2 and have AMTM, Skynet, and Entware packages running.

    Is something like this possible? If so, how (I'm thinking a script or some script package that can be loaded)?

    I have an elderly parent at home that has dementia staying in my home with my family. Usually, I am home with him, but, occasionally, I have to leave him alone. I setup wireless cameras in the house so that my family can monitor him while he is alone. However, I do not want the cameras on while I am home with him. My thinking is that I always have my phone with me. Therefore, when the phone is connected to the home network, I'd like the cameras off. When the phone is not connected to the network I'd like the cameras on.

    I was playing around and discovered that filtering by MAC address will not work (since cameras are battery operated and when blocked they shutoff). But, if I go to Firewall/Network Services Filter and setup a Filter for the IP address and Protocol UDP, noone can connect to cameras and they do not lose their connection.

    I have manually assigned the following IP DHCPs:
    192 168.1.200 Phone
    192.168.1.211 Camera 1
    192.168.1.212 Camera 2
    192.168.1.213 Camera 3

    My thought is, when Phone (ip 192.168.1.200) is not connected to wireless network, 3 Network Services Filters would be created:
    192.168.1.211 UDP
    192.168.1.212 UDP
    192.168.1.213 UDP

    When phone (IP 192.168.1.200) reconnects to the wireless network, the 3 filters would be deleted.

    Is there anyway to automate this with a script or something?

    Thank you.
     
  2. SomeWhereOverTheRainBow

    SomeWhereOverTheRainBow Very Senior Member

    Joined:
    Jun 4, 2019
    Messages:
    1,225
    Screenshot_20200130-051440126 (1).jpg
    Another idea is if you know what times of the day you are home you can place the cameras on a time schedule(and yes this can include.intervals of time as well). That is just a thought. "The easier, but not necessarily better route." I have my children's device on time schedule and it seems to work pretty well with switching to when they are or are not allowed. It redirects the traffic the cameras will still be on wifi just no internet access as the traffic gets redirected per time schedule abilities under parental filtering.
     
    Last edited: Jan 30, 2020
  3. JohnD5000

    JohnD5000 Regular Contributor

    Joined:
    Nov 20, 2016
    Messages:
    180
    Thank you, but, unfortunately, the times vary, so that is not possible.
     
  4. Maverickcdn

    Maverickcdn Regular Contributor

    Joined:
    Mar 14, 2018
    Messages:
    141
  5. JohnD5000

    JohnD5000 Regular Contributor

    Joined:
    Nov 20, 2016
    Messages:
    180
    Thanks, but if I understand that thread, it is a way to run on the router while connected over SSH that provides a list of active devices on the network in the same way that the "Client Status" screen shows on the home page.

    I already know the IPs (they are manually assigned) and I know the MAC addresses.

    What I want to know if can create a script that:
    • A: loops through the router’s assoclist and compare each MAC or Ip against a list that is provided.
    • B: if no match then add a firewall rule using iptables that will drop/reject the traffic
    • from/to your camera. (i.e. a Network Services Filter for IP address for protocol UPD)
    • C: in case of a match then remove the rule from the firewall, therefore allowing the traffic to/from your
    • camera.
    Maybe add the script to a cron that runs every x minutes.

    I've been trying to do a little NOOB research and steps B & C look like they would be 1 line command with IPTABLES per camera (just have to figure it out). Not sure on the A step. Or am I way off?

    Thanks
     
  6. Maverickcdn

    Maverickcdn Regular Contributor

    Joined:
    Mar 14, 2018
    Messages:
    141
    You've got the right idea, use this as a hacky guide to give you an idea

    Could be far more robust but this would work Im pretty sure. This is based on my extremely limited testing of connectivity and 'arp -n' showing either the mac when its connected or <incomplete> when not. You need to change the 00:00:00 to the last six of your phone MAC

    Could run this using a cron every 5,10,15 mins using a init-start script

    And Im not 100% this needs to be in the FORWARD table or in a different one... too late in the evening and my extracurriculars are working ;)

    Code:
    #!/bin/sh
    
    ping -c3 -w2 192.168.1.200 # pings phone to help update arp??
    sleep 2
    
    arp -n | grep "192.168.1.200" | grep -q "00:00:00"
    if [ $? -eq 0 ]; then
            iptables -L FORWARD | grep -q "192.168.1.211-192.168.1.213"  # checks to see if rule already in place
            if [ $? -eq 0 ]; then
                exit 0
            else
                iptables -I FORWARD 1 -p udp -m iprange --src-range 192.168.1.211-192.168.1.213 -j DROP   #adds rule to drop .211 .212 .213
            fi
    else  # phone appears disconnected
        iptables -L FORWARD | grep -q "192.168.1.211-192.168.1.213"  # checks to see if rule is there, if so deletes it
        if [ $? -eq 0 ]; then
            iptables -D FORWARD -p udp -m iprange --src-range 192.168.1.211-192.168.1.213 -j DROP
        else
            exit 0 # phone not connected and rules not in place
        fi
    fi
     
    Last edited: Jan 31, 2020
  7. Maverickcdn

    Maverickcdn Regular Contributor

    Joined:
    Mar 14, 2018
    Messages:
    141
    Oh and Im curious how the cameras are accessed remotely over the Internet?

    VPN? Port Forward? Web interface of some kind?

    Just want you to know if its not a VPN you leave that network vulnerable if someone ever hacked the connection and if it is a VPN the rules would be different I think if possible at all with IPtables
     
  8. JohnD5000

    JohnD5000 Regular Contributor

    Joined:
    Nov 20, 2016
    Messages:
    180

    Wow! This is great! This will be my first script. Now, when I get some free time, I just need to study this, figure out how to load it to the router, and create a cron init-start job to see if it works! THANKS!
     
  9. JohnD5000

    JohnD5000 Regular Contributor

    Joined:
    Nov 20, 2016
    Messages:
    180
    I'm not running a VPN or port forwarding. These cameras run off a Android app called CloudEdge
    https://play.google.com/store/apps/details?id=com.cloudedge.smarteye
    The app takes care of all the "work" connecting and all. Not sure exactly how it works (and hopefully it is secure). Seems like a lot of cameras run off this app. Anyhow, you create an account, enter a name & PW and select the QR Code of the camera. Another person can create an account and you can share the camera with them (they can log in and view, too). Not sure how it works, but when it was connected, I noticed it had TCP and UDP connections using the System Logs/Connections from the GUI when the camera was on. I went through all 8 of the options in the Firewall/Network Services Filter. The 7 TCP protocols didn't do anything and the camera still connected, but the UDP protocol seemed to stop the connection in the app. There is probably a better way to block the camera but I'm a networking NOOB trying to learn. My first attempt to block the camera was using the Wireless\MAC Filter. But the camera could not connect to the network, so it needed to be physically reset when I removed the MAC Filter, so that didn't work.
     
  10. Maverickcdn

    Maverickcdn Regular Contributor

    Joined:
    Mar 14, 2018
    Messages:
    141
    Thats fine then, the cameras likely use a UDP connection to a command and control server somewhere in the world, your APP on the phones connect to the same C&C server and get your camera feed that way. As you long as you have a nonstandard user name and a complex password that will be as secure as you can make it.

    The IPtables rules I listed should work for you then.

    Id look into more about writing scripts and add some logger entries so the script can write some stuff to your router log so you can see whats happening when the script runs instead of being totally silent. eg logger -t camerablock "Phone connected, adding blocking rule" etc.

    The script I posted is as basic as it gets and only covers the functionality you were looking for without anything else.... I really put it there to show what can be used to accomplish what you want , its there for you to build off as a starting point.

    And Ill just reiterate Im a total Noob as well, gurus might have other suggestions but this would be perfect for a starting point for you I think.
     
  11. JohnD5000

    JohnD5000 Regular Contributor

    Joined:
    Nov 20, 2016
    Messages:
    180
    Again thanks, so I can more or less follow everything that you wrote but have 1 question. On line:

    iptables -I FORWARD 1 -p udp -m iprange --src-range 192.168.1.211-192.168.1.213 -j DROP #adds rule to drop .211 .212 .213

    why is the 1 there, doesn't that remove the first rule in the ip table? What if there are other rules there that are 1st?

    Sorry, this is an insert, but still don't follow the 1.

    Thanks
     
  12. JohnD5000

    JohnD5000 Regular Contributor

    Joined:
    Nov 20, 2016
    Messages:
    180
    Thanks, right now, I'll be happy to get my first script loaded and running as a cron job. Once its up and running , I can use it as a building block to learn and add more. BTW, I'd say your well above NOOB.
     
  13. Maverickcdn

    Maverickcdn Regular Contributor

    Joined:
    Mar 14, 2018
    Messages:
    141
    -I is insert, the 1 specifies it to be the first rule in the chain is all, it doesnt remove any rules would just insert the rule as the first in the chain

    Something else Ill mention.

    All commands like iptables, etc have manual pages.. Either type 'iptables --help' in an SSH console to see options or just google Iptables man page (manual page), just know that all options listed on a commands man page may not be available on the router due to the limited Ash shell, but iptables --help will show what is supported.
     
  14. JohnD5000

    JohnD5000 Regular Contributor

    Joined:
    Nov 20, 2016
    Messages:
    180
    So, I think the script is working, but when the script inserts the udp rules, should I be able to see them in the GUI if I go to Firewall/Network Service Filters? Because, If I do, I can not see them there. If I create the rules in the GUI, I don't see them removed, etc. Is there a place to view the rules to see if they have been created/removed from the system if can't see them from GUI?
     
  15. Maverickcdn

    Maverickcdn Regular Contributor

    Joined:
    Mar 14, 2018
    Messages:
    141
    No, the GUI is not affected by the script. There may be a way to have the script toggle the Network Services Filter so its visible in the GUI but thats beyond me.

    The best way to tell is to add logger lines to the script and you can check the router logs for changes happening. Otherwise you can SSH into the router and type 'iptables -L FORWARD' and it will list the rules in the forward table. Your blocking rule should list as the first one based on the script when your phone is connected and not appear when your phone is disconnected.

    Best way to tell if the script is working is connect your phone to the network and wait however long you set the cron job (my cron example I posted in your other thread was every 2 mins) to run to be sure the script ran, then technically you shouldnt be able to access the cameras.
     
  16. Maverickcdn

    Maverickcdn Regular Contributor

    Joined:
    Mar 14, 2018
    Messages:
    141
    Thinking about this more it would require more testing but there is also the possiblity that if the camera is being viewed by third party, the phone connects and UDP rule applies, the third party MAY still get the video feed if they havent closed the app, my thinking is the UDP is simply a control connection and when a phone connects it might initiate a stream over TCP which wouldnt be blocked.
    And because they connected before any blocking rules, their TCP connection would be still active possibly.

    You maybe can solve this by simply removing the -p udp from the script but Im not 100% how established connections are treated when a rule is added
     
  17. JohnD5000

    JohnD5000 Regular Contributor

    Joined:
    Nov 20, 2016
    Messages:
    180
    Thanks for the info!
     
  18. JohnD5000

    JohnD5000 Regular Contributor

    Joined:
    Nov 20, 2016
    Messages:
    180
    Not sure what it means, but when the UDP rule is in effect, you can not view camera from outside network, but you can view camera from client connected to the wireless network. Further testing proves that you are correct, if connected from outside network and rule UDP rule goes into effect, you stay connected, but if stop viewing, can not restart viewing.

    I don't have time to test what would happen if I remove the -p udp from the script, but that is something to try out.

    Thanks
     
  19. Maverickcdn

    Maverickcdn Regular Contributor

    Joined:
    Mar 14, 2018
    Messages:
    141
    Something about a hunch coming to truth that gives me that warm fuzzy feeling haha.

    Ya, at least it sounds like a well written Android app in that it looks for the camera on the local network before sending a request to the command and control somewhere in the world which is why you can still access it on the local network.

    If you remove the -p udp from the script it will just ensure it blocks the TCP video stream as well but retain local access like you have now, Im just not confident on if it would kill an already established connection or not, in theory in my way of thinking as soon as the rule was applied it would kill all connections and you wouldnt have to worry about a third party maintaining a stream if initiated before the rules were in place but I could be wrong on that, you'll have to test it out or maybe someone else can confirm a new IPtable rule would block an existing established connection
     
  20. EventPhotoMan

    EventPhotoMan Very Senior Member

    Joined:
    Mar 29, 2018
    Messages:
    690
    My suggestion.

    place your cameras on a smart switch.

    use ifttt.com to set a geo fence, turn on camera when you go out, turn off camera when you go in.

    I use the geo fence to set my alarm on/off.