Creating Network Services Filter script -- Can this be done?

[JohnD5000]

Not sure where the appropriate forum to ask this is (if there is a better one, please let me know and I'll repost there).

I have an RT-AC86U, running Merlin 384.15 alpha 2 and have AMTM, Skynet, and Entware packages running.

Is something like this possible? If so, how (I'm thinking a script or some script package that can be loaded)?

I have an elderly parent at home that has dementia staying in my home with my family. Usually, I am home with him, but, occasionally, I have to leave him alone. I setup wireless cameras in the house so that my family can monitor him while he is alone. However, I do not want the cameras on while I am home with him. My thinking is that I always have my phone with me. Therefore, when the phone is connected to the home network, I'd like the cameras off. When the phone is not connected to the network I'd like the cameras on.

I was playing around and discovered that filtering by MAC address will not work (since cameras are battery operated and when blocked they shutoff). But, if I go to Firewall/Network Services Filter and setup a Filter for the IP address and Protocol UDP, noone can connect to cameras and they do not lose their connection.

I have manually assigned the following IP DHCPs:
192 168.1.200 Phone
192.168.1.211 Camera 1
192.168.1.212 Camera 2
192.168.1.213 Camera 3

My thought is, when Phone (ip 192.168.1.200) is not connected to wireless network, 3 Network Services Filters would be created:
192.168.1.211 UDP
192.168.1.212 UDP
192.168.1.213 UDP

When phone (IP 192.168.1.200) reconnects to the wireless network, the 3 filters would be deleted.

Is there anyway to automate this with a script or something?

Thank you.

 

[SomeWhereOverTheRainBow]

Not sure where the appropriate forum to ask this is (if there is a better one, please let me know and I'll repost there).

I have an RT-AC86U, running Merlin 384.15 alpha 2 and have AMTM, Skynet, and Entware packages running.

Is something like this possible? If so, how (I'm thinking a script or some script package that can be loaded)?

I have an elderly parent at home that has dementia staying in my home with my family. Usually, I am home with him, but, occasionally, I have to leave him alone. I setup wireless cameras in the house so that my family can monitor him while he is alone. However, I do not want the cameras on while I am home with him. My thinking is that I always have my phone with me. Therefore, when the phone is connected to the home network, I'd like the cameras off. When the phone is not connected to the network I'd like the cameras on.

I was playing around and discovered that filtering by MAC address will not work (since cameras are battery operated and when blocked they shutoff). But, if I go to Firewall/Network Services Filter and setup a Filter for the IP address and Protocol UDP, noone can connect to cameras and they do not lose their connection.

I have manually assigned the following IP DHCPs:
192 168.1.200 Phone
192.168.1.211 Camera 1
192.168.1.212 Camera 2
192.168.1.213 Camera 3

My thought is, when Phone (ip 192.168.1.200) is not connected to wireless network, 3 Network Services Filters would be created:
192.168.1.211 UDP
192.168.1.212 UDP
192.168.1.213 UDP

When phone (IP 192.168.1.200) reconnects to the wireless network, the 3 filters would be deleted.

Is there anyway to automate this with a script or something?

Thank you.

Another idea is if you know what times of the day you are home you can place the cameras on a time schedule(and yes this can include.intervals of time as well). That is just a thought. "The easier, but not necessarily better route." I have my children's device on time schedule and it seems to work pretty well with switching to when they are or are not allowed. It redirects the traffic the cameras will still be on wifi just no internet access as the traffic gets redirected per time schedule abilities under parental filtering.

 

[JohnD5000]

Thank you, but, unfortunately, the times vary, so that is not possible.

 

[Maverickcdn]

Can be done, just not through the GUI
You'd have to write a script and test it out

Could start by reading here https://www.snbforums.com/threads/command-to-get-active-devices-on-the-network.48711/ for locating when your device connects, then the script would have to implement the blocking rules and then reverse everything when you disconnect.

Can be done, not easily.

 

[JohnD5000]

Thanks, but if I understand that thread, it is a way to run on the router while connected over SSH that provides a list of active devices on the network in the same way that the "Client Status" screen shows on the home page.

I already know the IPs (they are manually assigned) and I know the MAC addresses.

What I want to know if can create a script that:

• A: loops through the router’s assoclist and compare each MAC or Ip against a list that is provided.
• B: if no match then add a firewall rule using iptables that will drop/reject the traffic
• from/to your camera. (i.e. a Network Services Filter for IP address for protocol UPD)
• C: in case of a match then remove the rule from the firewall, therefore allowing the traffic to/from your
• camera.

Maybe add the script to a cron that runs every x minutes.

I've been trying to do a little NOOB research and steps B & C look like they would be 1 line command with IPTABLES per camera (just have to figure it out). Not sure on the A step. Or am I way off?

Thanks

 

[Maverickcdn]

You've got the right idea, use this as a hacky guide to give you an idea

Could be far more robust but this would work Im pretty sure. This is based on my extremely limited testing of connectivity and 'arp -n' showing either the mac when its connected or <incomplete> when not. You need to change the 00:00:00 to the last six of your phone MAC

Could run this using a cron every 5,10,15 mins using a init-start script

And Im not 100% this needs to be in the FORWARD table or in a different one... too late in the evening and my extracurriculars are working

#!/bin/sh

ping -c3 -w2 192.168.1.200 # pings phone to help update arp??
sleep 2

arp -n | grep "192.168.1.200" | grep -q "00:00:00"
if [ $? -eq 0 ]; then
        iptables -L FORWARD | grep -q "192.168.1.211-192.168.1.213"  # checks to see if rule already in place
        if [ $? -eq 0 ]; then
            exit 0
        else
            iptables -I FORWARD 1 -p udp -m iprange --src-range 192.168.1.211-192.168.1.213 -j DROP   #adds rule to drop .211 .212 .213
        fi
else  # phone appears disconnected
    iptables -L FORWARD | grep -q "192.168.1.211-192.168.1.213"  # checks to see if rule is there, if so deletes it
    if [ $? -eq 0 ]; then
        iptables -D FORWARD -p udp -m iprange --src-range 192.168.1.211-192.168.1.213 -j DROP
    else
        exit 0 # phone not connected and rules not in place
    fi
fi

 

[Maverickcdn]

Oh and Im curious how the cameras are accessed remotely over the Internet?

VPN? Port Forward? Web interface of some kind?

Just want you to know if its not a VPN you leave that network vulnerable if someone ever hacked the connection and if it is a VPN the rules would be different I think if possible at all with IPtables

 

[JohnD5000]

You've got the right idea, use this as a hacky guide to give you an idea

Could be far more robust but this would work Im pretty sure. This is based on my extremely limited testing of connectivity and 'arp -n' showing either the mac when its connected or <incomplete> when not. You need to change the 00:00:00 to the last six of your phone MAC

Could run this using a cron every 5,10,15 mins using a init-start script

And Im not 100% this needs to be in the FORWARD table or in a different one... too late in the evening and my extracurriculars are working

#!/bin/sh

ping -c3 -w2 192.168.1.200 # pings phone to help update arp??
sleep 2

arp -n | grep "192.168.1.200" | grep -q "00:00:00"
if [ $? -eq 0 ]; then
        iptables -L FORWARD | grep -q "192.168.1.211-192.168.1.213"  # checks to see if rule already in place
        if [ $? -eq 0 ]; then
            exit 0
        else
            iptables -I FORWARD 1 -p udp -m iprange --src-range 192.168.1.211-192.168.1.213 -j DROP   #adds rule to drop .211 .212 .213
        fi
else  # phone appears disconnected
    iptables -L FORWARD | grep -q "192.168.1.211-192.168.1.213"  # checks to see if rule is there, if so deletes it
    if [ $? -eq 0 ]; then
        iptables -D FORWARD -p udp -m iprange --src-range 192.168.1.211-192.168.1.213 -j DROP
    else
        exit 0 # phone not connected and rules not in place
    fi
fi

Wow! This is great! This will be my first script. Now, when I get some free time, I just need to study this, figure out how to load it to the router, and create a cron init-start job to see if it works! THANKS!

 

[JohnD5000]

Oh and Im curious how the cameras are accessed remotely over the Internet?

VPN? Port Forward? Web interface of some kind?

Just want you to know if its not a VPN you leave that network vulnerable if someone ever hacked the connection and if it is a VPN the rules would be different I think if possible at all with IPtables

I'm not running a VPN or port forwarding. These cameras run off a Android app called CloudEdge
https://play.google.com/store/apps/details?id=com.cloudedge.smarteye
The app takes care of all the "work" connecting and all. Not sure exactly how it works (and hopefully it is secure). Seems like a lot of cameras run off this app. Anyhow, you create an account, enter a name & PW and select the QR Code of the camera. Another person can create an account and you can share the camera with them (they can log in and view, too). Not sure how it works, but when it was connected, I noticed it had TCP and UDP connections using the System Logs/Connections from the GUI when the camera was on. I went through all 8 of the options in the Firewall/Network Services Filter. The 7 TCP protocols didn't do anything and the camera still connected, but the UDP protocol seemed to stop the connection in the app. There is probably a better way to block the camera but I'm a networking NOOB trying to learn. My first attempt to block the camera was using the Wireless\MAC Filter. But the camera could not connect to the network, so it needed to be physically reset when I removed the MAC Filter, so that didn't work.

 

[Maverickcdn]

I'm not running a VPN or port forwarding. These cameras run off a Android app called CloudEdge

Thats fine then, the cameras likely use a UDP connection to a command and control server somewhere in the world, your APP on the phones connect to the same C&C server and get your camera feed that way. As you long as you have a nonstandard user name and a complex password that will be as secure as you can make it.

The IPtables rules I listed should work for you then.

Id look into more about writing scripts and add some logger entries so the script can write some stuff to your router log so you can see whats happening when the script runs instead of being totally silent. eg logger -t camerablock "Phone connected, adding blocking rule" etc.

The script I posted is as basic as it gets and only covers the functionality you were looking for without anything else.... I really put it there to show what can be used to accomplish what you want , its there for you to build off as a starting point.

And Ill just reiterate Im a total Noob as well, gurus might have other suggestions but this would be perfect for a starting point for you I think.

 

[JohnD5000]

You've got the right idea, use this as a hacky guide to give you an idea

Could be far more robust but this would work Im pretty sure. This is based on my extremely limited testing of connectivity and 'arp -n' showing either the mac when its connected or <incomplete> when not. You need to change the 00:00:00 to the last six of your phone MAC

Could run this using a cron every 5,10,15 mins using a init-start script

And Im not 100% this needs to be in the FORWARD table or in a different one... too late in the evening and my extracurriculars are working

#!/bin/sh

ping -c3 -w2 192.168.1.200 # pings phone to help update arp??
sleep 2

arp -n | grep "192.168.1.200" | grep -q "00:00:00"
if [ $? -eq 0 ]; then
        iptables -L FORWARD | grep -q "192.168.1.211-192.168.1.213"  # checks to see if rule already in place
        if [ $? -eq 0 ]; then
            exit 0
        else
            iptables -I FORWARD 1 -p udp -m iprange --src-range 192.168.1.211-192.168.1.213 -j DROP   #adds rule to drop .211 .212 .213
        fi
else  # phone appears disconnected
    iptables -L FORWARD | grep -q "192.168.1.211-192.168.1.213"  # checks to see if rule is there, if so deletes it
    if [ $? -eq 0 ]; then
        iptables -D FORWARD -p udp -m iprange --src-range 192.168.1.211-192.168.1.213 -j DROP
    else
        exit 0 # phone not connected and rules not in place
    fi
fi

Again thanks, so I can more or less follow everything that you wrote but have 1 question. On line:

iptables -I FORWARD 1 -p udp -m iprange --src-range 192.168.1.211-192.168.1.213 -j DROP #adds rule to drop .211 .212 .213

why is the 1 there, doesn't that remove the first rule in the ip table? What if there are other rules there that are 1st?

Sorry, this is an insert, but still don't follow the 1.

Thanks

 

[JohnD5000]

Thats fine then, the cameras likely use a UDP connection to a command and control server somewhere in the world, your APP on the phones connect to the same C&C server and get your camera feed that way. As you long as you have a nonstandard user name and a complex password that will be as secure as you can make it.

The IPtables rules I listed should work for you then.

Id look into more about writing scripts and add some logger entries so the script can write some stuff to your router log so you can see whats happening when the script runs instead of being totally silent. eg logger -t camerablock "Phone connected, adding blocking rule" etc.

The script I posted is as basic as it gets and only covers the functionality you were looking for without anything else.... I really put it there to show what can be used to accomplish what you want , its there for you to build off as a starting point.

And Ill just reiterate Im a total Noob as well, gurus might have other suggestions but this would be perfect for a starting point for you I think.

Thanks, right now, I'll be happy to get my first script loaded and running as a cron job. Once its up and running , I can use it as a building block to learn and add more. BTW, I'd say your well above NOOB.

 

[Maverickcdn]

iptables -I FORWARD 1 -p udp -m iprange --src-range 192.168.1.211-192.168.1.213 -j DROP #adds rule to drop .211 .212 .213

-I is insert, the 1 specifies it to be the first rule in the chain is all, it doesnt remove any rules would just insert the rule as the first in the chain

Something else Ill mention.

All commands like iptables, etc have manual pages.. Either type 'iptables --help' in an SSH console to see options or just google Iptables man page (manual page), just know that all options listed on a commands man page may not be available on the router due to the limited Ash shell, but iptables --help will show what is supported.

 

[JohnD5000]

So, I think the script is working, but when the script inserts the udp rules, should I be able to see them in the GUI if I go to Firewall/Network Service Filters? Because, If I do, I can not see them there. If I create the rules in the GUI, I don't see them removed, etc. Is there a place to view the rules to see if they have been created/removed from the system if can't see them from GUI?

 

[Maverickcdn]

So, I think the script is working, but when the script inserts the udp rules, should I be able to see them in the GUI if I go to Firewall/Network Service Filters?

No, the GUI is not affected by the script. There may be a way to have the script toggle the Network Services Filter so its visible in the GUI but thats beyond me.

The best way to tell is to add logger lines to the script and you can check the router logs for changes happening. Otherwise you can SSH into the router and type 'iptables -L FORWARD' and it will list the rules in the forward table. Your blocking rule should list as the first one based on the script when your phone is connected and not appear when your phone is disconnected.

Best way to tell if the script is working is connect your phone to the network and wait however long you set the cron job (my cron example I posted in your other thread was every 2 mins) to run to be sure the script ran, then technically you shouldnt be able to access the cameras.

 

[Maverickcdn]

Thinking about this more it would require more testing but there is also the possiblity that if the camera is being viewed by third party, the phone connects and UDP rule applies, the third party MAY still get the video feed if they havent closed the app, my thinking is the UDP is simply a control connection and when a phone connects it might initiate a stream over TCP which wouldnt be blocked.
And because they connected before any blocking rules, their TCP connection would be still active possibly.

You maybe can solve this by simply removing the -p udp from the script but Im not 100% how established connections are treated when a rule is added

 

[JohnD5000]

No, the GUI is not affected by the script. There may be a way to have the script toggle the Network Services Filter so its visible in the GUI but thats beyond me.

The best way to tell is to add logger lines to the script and you can check the router logs for changes happening. Otherwise you can SSH into the router and type 'iptables -L FORWARD' and it will list the rules in the forward table. Your blocking rule should list as the first one based on the script when your phone is connected and not appear when your phone is disconnected.

Best way to tell if the script is working is connect your phone to the network and wait however long you set the cron job (my cron example I posted in your other thread was every 2 mins) to run to be sure the script ran, then technically you shouldnt be able to access the cameras.

Thanks for the info!

 

[JohnD5000]

Thinking about this more it would require more testing but there is also the possiblity that if the camera is being viewed by third party, the phone connects and UDP rule applies, the third party MAY still get the video feed if they havent closed the app, my thinking is the UDP is simply a control connection and when a phone connects it might initiate a stream over TCP which wouldnt be blocked.
And because they connected before any blocking rules, their TCP connection would be still active possibly.

You maybe can solve this by simply removing the -p udp from the script but Im not 100% how established connections are treated when a rule is added

Not sure what it means, but when the UDP rule is in effect, you can not view camera from outside network, but you can view camera from client connected to the wireless network. Further testing proves that you are correct, if connected from outside network and rule UDP rule goes into effect, you stay connected, but if stop viewing, can not restart viewing.

I don't have time to test what would happen if I remove the -p udp from the script, but that is something to try out.

Thanks

 

[Maverickcdn]

Further testing proves that you are correct, if connected from outside network and rule UDP rule goes into effect, you stay connected, but if stop viewing, can not restart viewing.

Something about a hunch coming to truth that gives me that warm fuzzy feeling haha.

Ya, at least it sounds like a well written Android app in that it looks for the camera on the local network before sending a request to the command and control somewhere in the world which is why you can still access it on the local network.

If you remove the -p udp from the script it will just ensure it blocks the TCP video stream as well but retain local access like you have now, Im just not confident on if it would kill an already established connection or not, in theory in my way of thinking as soon as the rule was applied it would kill all connections and you wouldnt have to worry about a third party maintaining a stream if initiated before the rules were in place but I could be wrong on that, you'll have to test it out or maybe someone else can confirm a new IPtable rule would block an existing established connection

 

[JohnD5000]

I removed the -p udp from the 2 iptables lines.

When phone is connected it appears to work:

admin@RT-AC86U-07F8:/jffs/scripts# iptables -L FORWARD
Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere source IP range 192.168.1.211-192.168.1.213​

But when the phone is disconnected, it doesn't remove the rule (but sometimes it does).

Sometimes it returns this (but not always which is confusing me)
"iptables: Bad rule (does a matching rule exist in that chain?)."


Any ideas?

Here is my current script:

#!/bin/sh

#TEST TO REMOVE -p udp from iptables line

ping -c3 -w2 192.168.1.200 # pings phone to help update arp??
sleep 2

arp -n | grep "192.168.1.200" | grep -q "33:69:68"
if [ $? -eq 0 ]; then
        iptables -L FORWARD | grep -q "192.168.1.211-192.168.1.213"  # checks to see if rule already in place
        if [ $? -eq 0 ]; then
            exit 0
        else
            iptables -I FORWARD 1 -m iprange --src-range 192.168.1.211-192.168.1.213 -j DROP   #adds rule to drop .211 .212 .213
        fi
else  # phone appears disconnected
    iptables -L FORWARD | grep -q "192.168.1.211-192.168.1.213"    # checks to see if rule is there, if so deletes it
         echo $?
    if [ $? -eq 0 ]; then
        iptables -D FORWARD -m iprange --src-range 192.168.1.211-192.168.1.213 -j DROP
    else
        exit 0 # phone not connected and rules not in place
    fi
fi