Help Please..Need assistance stopping outbound connections!

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Techno

Occasional Visitor
As the title of the thread states I need assistance with adding FW rules to my N66U to try and alleviate outbound connections from my IP cams. I logged onto my router web interface today and went to the WAN tab and looked up "Active Connections" and notice two of my ip cams are connecting to a China ip.

My firmware is Merlin 380.64_2. I do not have any open ports and have turned off all connections on both router (UPnP) and the individual cams (UPnP, P2P, Bonjour, etc) and even use OpenVPN but this does not stop them from making outbound connections. I have some networking experience but kind of a rookie at adding scripts and stuff and especially doing FW rules.

Any assistance would be greatly appreciated.
 

Attachments

  • Connections.JPG
    Connections.JPG
    21.2 KB · Views: 877

redhat27

Very Senior Member
Outbound connections should not be an issue (maybe the cams are checking for firmware updates?) More concerning would be inbound connections to your cams. You should have a strong password for your cams and use the router firewall to block unwanted connections
 

ColinTaylor

Part of the Furniture
How about Firewall > Network Services Filter
 

Techno

Occasional Visitor
Outbound connections should not be an issue (maybe the cams are checking for firmware updates?) More concerning would be inbound connections to your cams. You should have a strong password for your cams and use the router firewall to block unwanted connections

I've read that outbound connections could also be harmful as well. I shouldn't have any coo ections inbound due to UPNP turned off and no port forwarding (I use built in vpn) so FW should be taking care of that side of things.

I do change the default password on all my cams.
 

ColinTaylor

Part of the Furniture
There used to be a bug that stopped Network Services Filter from working, I suggest you try it.

But before you do that, can't you just go to the Network Map, click on the camera and select "block internet access"?
 

Techno

Occasional Visitor
There used to be a bug that stopped Network Services Filter from working, I suggest you try it.

But before you do that, can't you just go to the Network Map, click on the camera and select "block internet access"?

Sorry for me being an idiot but I have not even tried that...I will try that now that you mentioned it.

Anyway for me to tell that it's actually working? Do I just keep looking at the active connections log over the next few days to make sure I don't see the cams ip address making an outbound connection or is there another fool proof way?

Editing this last post because I blocked Internet access under the network map as you stated (the slide bar is now set to on) but the ip is still showing connected under active connections even after refreshing several times.
 
Last edited:

HeMaN

Regular Contributor
I suppose active connections will not be killed when you add a new rule. Try turning the cam (or router) off and on again to kill the active session and see if it is able to create a new connection (should not be possible)

Verstuurd vanaf mijn A0001 met Tapatalk
 

Xentrk

Part of the Furniture
I know of others who cameras are calling home base in china. Including Baidu.com which is one bad site that attempts to take over your PC.

Assign your cameras a static IP address. if it is 192.168.2.199 for example, issue the command:

iptables -I FORWARD -s 192.168.2.199 -j DROP

This will drop traffic to the WAN. You can put this in /jffs/scripts/firewall-start file.

Another way is to create a /jffs/configs folder, then create a file called dnsmasq.conf.add and add an entry like:

server=/googleadservices.com/127.0.0.1

The 127.0.0.1 is the loopback address to your router. So the packet will get dropped there.

See https://github.com/RMerl/asuswrt-merlin/wiki/Custom-config-files to learn more about dnsmasq.conf.add

EDIT:
Another way is to install AB-Solution and add the URL to the block list. If you have a large enough USB drive, you can create one partition for entware and another for absolution using these instructions:

http://www.algissalys.com/how-to/format-and-partition-usb-asuswrt-routers

I had a bunch of 1GB and 2GB vendor swag thumb drives left over from my IT career. I used one for entware and one for absolution and connected them to a USB 2.0 hub attached to my router.
 
Last edited:

Techno

Occasional Visitor
I suppose active connections will not be killed when you add a new rule. Try turning the cam (or router) off and on again to kill the active session and see if it is able to create a new connection (should not be possible)

I looked in my "active connections" log this morning and I do not see the camera making a connection outbound any longer. Maybe sometime overnight the connection finally got dropped...not sure. I still am not feeling confident this is a "long term" solution. I feel like I need to put in a permanent rule to block ALL outbound connections from several of my cams...I have a lot!
 

Techno

Occasional Visitor
I know of others who cameras are calling home base in china. Including Baidu.com which is one bad site that attempts to take over your PC.

Assign your cameras a static IP address. if it is 192.168.2.199 for example, issue the command:

iptables -I FORWARD -s 192.168.2.199 -j DROP

This will drop traffic to the WAN. You can put this in /jffs/scripts/firewall-start file.

Another way is to create a /jffs/configs folder, then create a file called dnsmasq.conf.add and add an entry like:

server=/googleadservices.com/127.0.0.1

The 127.0.0.1 is the loopback address to your router. So the packet will get dropped there.

See https://github.com/RMerl/asuswrt-merlin/wiki/Custom-config-files to learn more about dnsmasq.conf.add

Another way is to install AB-Solution and add the URL to the block list. For this, you will need two usb drives formatted as ext2, ext3 or ext4. One is for entware and the other for absolution.

Thanks for your post...really appreciate it. In reference to your comment about cams calling home to china....yeah that's what I am afraid of which is why I really want to rectify this situation. All my cams are assigned static IP's out of my dhcp scope so I do not have to worry about overlap.

I really would like to "learn" how to input a FW rule in the iptable but not really sure how. I've been looking over several forums posts and even read the wiki but I'm still a little unsure. So far what I have learned is you have to either telnet or SSH into your router. But I assume you have to turn the telnet functionality on first? And also you have to turn on the ability to make changes to the /jiffs/scripts area I believe?

From there it really starts to get muddy as far as what command I start with first in order to input a rule. Also in reference to the rule you posted...the other thread I was reading listed the following rule which is similar to yours but varies just a bit: iptables -I FORWARD 2 -s 10.100.1.16 -o eth0 -j DROP

Not sure about the number after the FORWARD command and also they listed eth0 which is the WAN connection out I believe. I also need this rule to take care of both tcp and udp connections and not sure if I have multiple IP addresses (due to multiple cams) can I do some sort of range or do you have to do each individual cam address?
 

Xentrk

Part of the Furniture
Thanks for your post...really appreciate it. In reference to your comment about cams calling home to china....yeah that's what I am afraid of which is why I really want to rectify this situation. All my cams are assigned static IP's out of my dhcp scope so I do not have to worry about overlap.

I really would like to "learn" how to input a FW rule in the iptable but not really sure how. I've been looking over several forums posts and even read the wiki but I'm still a little unsure. So far what I have learned is you have to either telnet or SSH into your router. But I assume you have to turn the telnet functionality on first? And also you have to turn on the ability to make changes to the /jiffs/scripts area I believe?

From there it really starts to get muddy as far as what command I start with first in order to input a rule. Also in reference to the rule you posted...the other thread I was reading listed the following rule which is similar to yours but varies just a bit: iptables -I FORWARD 2 -s 10.100.1.16 -o eth0 -j DROP

Not sure about the number after the FORWARD command and also they listed eth0 which is the WAN connection out I believe. I also need this rule to take care of both tcp and udp connections and not sure if I have multiple IP addresses (due to multiple cams) can I do some sort of range or do you have to do each individual cam address?

At a minimum, you need to enable SSH session on the web gui in order to access the linux command line. In the gui, Go to Administration, Select the System Tab. Go to SSH Deamon. Set enable SSH to LAN. If you also select WAN, you open up your router to the web. Don't do it. Here is how you should set it up:
upload_2017-3-17_21-0-2.png


While you are at it enable JFFS. Set enable Enable JFFS custom scripts and configs to Yes. Set Format JFFS partition at next boot to Yes. Then reboot. This will create a directory called jffs on the root level.

Then, use a ssh client program like Putty to access the command line. I use MobaXterm. It is free. There is built in editor called Nano you can use to add the line to firewall-start file. Before doing this though, you can just enter the iptables command at the command line and it will persist as long as you don't reboot the router.

From there, you can create a subdirectory called scripts.

mkdir /jffs/scripts
cd /jffs/scripts

This is where the firewall-start file needs to reside. You can use the Nano editor to add the iptables command to the file. Or the vi editor. nano firewall-start. If you don't want to use editor, you can do this:

echo "iptables -I FORWARD -s 192.168.2.199 -j DROP" > firewall-start
If you have more lines to add do the same technique but use two greater than sign to append:
echo "iptables -I FORWARD -s 192.168.2.2oo -j DROP" >> firewall-start

Then, issue the command: cat firewall-start to see the contents of the file.

You will need to change the firewall-start permissions so it is executable: The command: chmod 755 firewall-start will take care of it. Then, when you reboot, the iptables commands will be executed. They will drop all packets to the web from that IP address.
 

sfx2000

Part of the Furniture
I logged onto my router web interface today and went to the WAN tab and looked up "Active Connections" and notice two of my ip cams are connecting to a China ip.

Interesting - shouldn't be happening (unless it ties into some cloud connection) - who is the vendor of the IP cam (including model number)...
 

Xentrk

Part of the Furniture
Another forum member told me his made in China cameras sold here in Thailand want to phone home to Baidu.com. I blacklist Baidu at the two sites I support here.
 

Techno

Occasional Visitor
Interesting - shouldn't be happening (unless it ties into some cloud connection) - who is the vendor of the IP cam (including model number)...

Dahua IPC-HDW4431C-A

Trust me...I logged into the camera and turned everything off that I could find. It's known out there that some of these cams could have "hidden" access that you can't see. Probably some cloud connection or something....
 

sfx2000

Part of the Furniture

Techno

Occasional Visitor
At a minimum, you need to enable SSH session on the web gui in order to access the linux command line. In the gui, Go to Administration, Select the System Tab. Go to SSH Deamon. Set enable SSH to LAN. If you also select WAN, you open up your router to the web. Don't do it. Here is how you should set it up:
View attachment 8762

While you are at it enable JFFS. Set enable Enable JFFS custom scripts and configs to Yes. Set Format JFFS partition at next boot to Yes. Then reboot. This will create a directory called jffs on the root level.

Then, use a ssh client program like Putty to access the command line. I use MobaXterm. It is free. There is built in editor called Nano you can use to add the line to firewall-start file. Before doing this though, you can just enter the iptables command at the command line and it will persist as long as you don't reboot the router.

I am good up to here so far....if I am understanding correctly. Once I SSH in using Putty or that app you suggested...btw do I just type in the router IP and my username / password to SSH in? Anyway, I can simply add iptables commands after logging in except they won't be saved if I reboot the router?

From there, you can create a subdirectory called scripts.

mkdir /jffs/scripts
cd /jffs/scripts

This is where the firewall-start file needs to reside. You can use the Nano editor to add the iptables command to the file. Or the vi editor. nano firewall-start. If you don't want to use editor, you can do this:

echo "iptables -I FORWARD -s 192.168.2.199 -j DROP" > firewall-start
If you have more lines to add do the same technique but use two greater than sign to append:
echo "iptables -I FORWARD -s 192.168.2.2oo -j DROP" >> firewall-start

Then, issue the command: cat firewall-start to see the contents of the file.

You will need to change the firewall-start permissions so it is executable: The command: chmod 755 firewall-start will take care of it. Then, when you reboot, the iptables commands will be executed. They will drop all packets to the web from that IP address.

This is where I am starting to get lost a little....if I want to save these iptables commands permanently I have to create a folder called scripts and save a firewall-start file in there? I am not sure how to create a firewall-start file under this newly created scripts subdirectory. Or you say I can simply enter in the specific commands without creating a firewall-start file like this:

echo "iptables -I FORWARD -s 192.168.5.189 -j DROP" >> firewall-start
echo "iptables -I FORWARD -s 192.168.5.190 -j DROP" >> firewall-start
echo "iptables -I FORWARD -s 192.168.5.191 -j DROP" >> firewall-start
and if my last ip is 192 I would put only one greater than sign
echo "iptables -I FORWARD -s 192.168.5.192 -j DROP" > firewall-start

Sorry for the crazy questions but I have never done SSH'd into a linux system before so this is all new to me but willing to learn for sure.
 

Xentrk

Part of the Furniture
I am good up to here so far....if I am understanding correctly. Once I SSH in using Putty or that app you suggested...btw do I just type in the router IP and my username / password to SSH in? Anyway, I can simply add iptables commands after logging in except they won't be saved if I reboot the router?



This is where I am starting to get lost a little....if I want to save these iptables commands permanently I have to create a folder called scripts and save a firewall-start file in there? I am not sure how to create a firewall-start file under this newly created scripts subdirectory. Or you say I can simply enter in the specific commands without creating a firewall-start file like this:

echo "iptables -I FORWARD -s 192.168.5.189 -j DROP" >> firewall-start2
echo "iptables -I FORWARD -s 192.168.5.190 -j DROP" >> firewall-start2
echo "iptables -I FORWARD -s 192.168.5.191 -j DROP" >> firewall-start2
and if my last ip is 192 I would put only one greater than sign
echo "iptables -I FORWARD -s 192.168.5.192 -j DROP" > firewall-start2

Sorry for the crazy questions but I have never done SSH'd into a linux system before so this is all new to me but willing to learn for sure.

The above will work except you want to use >> for all. If you use one > on the last line, it will wipe out everything else you entered. Ouch! Here is how you should do it (I use firewall-start2 as I already have a firewall-start and don't want to wipe it out).

Code:
[email protected]:/tmp/home/root# cd /jffs/scripts
[email protected]:/jffs/scripts# echo "iptables -I FORWARD -s 192.168.5.189 -j DROP" >> firewall-start2
[email protected]:/jffs/scripts# echo "iptables -I FORWARD -s 192.168.5.190 -j DROP" >> firewall-start2
[email protected]:/jffs/scripts# echo "iptables -I FORWARD -s 192.168.5.191 -j DROP" >> firewall-start2
[email protected]:/jffs/scripts# echo "iptables -I FORWARD -s 192.168.5.192 -j DROP" >> firewall-start2
[email protected]:/jffs/scripts# cat firewall-start2
iptables -I FORWARD -s 192.168.5.189 -j DROP
iptables -I FORWARD -s 192.168.5.190 -j DROP
iptables -I FORWARD -s 192.168.5.191 -j DROP
iptables -I FORWARD -s 192.168.5.192 -j DROP

Make the file executable: chmod 755 firewall-start

I highly recommend you learn some basic linux commands on the web and learn how to ssh into the router. It will open up more things you can do on your router. There are scripts on the forum for privacy, malware, country block, entware and ad blocking that enhance your router. Again, you will need a ssh client on your PC to ssh into your router.

You can also try the Nano editor built into Merlin Firmware if you want to try that as well. I prefer MobaXterm as my ssh client software. It also has a built in editor. But you need an SFTP session to use it. And that means you would need to install an entware package which is more involved.
 
Last edited:

Techno

Occasional Visitor
The above will work except you want to use >> for all. If you use one > on the last line, it will wipe out everything else you entered. Ouch! Here is how you should do it (I use firewall-start2 as I already have a firewall-start and don't want to wipe it out).

Code:
[email protected]:/tmp/home/root# cd /jffs/scripts
[email protected]:/jffs/scripts# echo "iptables -I FORWARD -s 192.168.5.189 -j DROP" >> firewall-start2
[email protected]:/jffs/scripts# echo "iptables -I FORWARD -s 192.168.5.190 -j DROP" >> firewall-start2
[email protected]:/jffs/scripts# echo "iptables -I FORWARD -s 192.168.5.191 -j DROP" >> firewall-start2
[email protected]:/jffs/scripts# echo "iptables -I FORWARD -s 192.168.5.192 -j DROP" >> firewall-start2
[email protected]:/jffs/scripts# cat firewall-start2
iptables -I FORWARD -s 192.168.5.189 -j DROP
iptables -I FORWARD -s 192.168.5.190 -j DROP
iptables -I FORWARD -s 192.168.5.191 -j DROP
iptables -I FORWARD -s 192.168.5.192 -j DROP

Make the file executable: chmod 755 firewall-start

I highly recommend you learn some basic linux commands on the web and learn how to ssh into the router. It will open up more things you can do on your router. There are scripts on the forum for privacy, malware, country block, entware and ad blocking that enhance your router. Again, you will need a ssh client on your PC to ssh into your router.

You can also try the Nano editor built into Merlin Firmware if you want to try that as well. I prefer MobaXterm as my ssh client software. It also has a built in editor. But you need an SFTP session to use it. And that means you would need to install an entware package which is more involved.

Ok, its getting a little bit clearer....I think my only hang up at this point is whether I need to just use Putty and input those iptables commands into the /jffs/scripts directory or do I NEED to use that other app and use that editor (Nano) to input the firewall-start file? I believe you said the difference is if I just use putty and input the commands if I reboot the router all will be lost.

Obviously, rebooting the router happens from time to time so I believe I would rather make this a permanent thing so I guess I need a little more info on how to use the editor inside the MobaXterm app...I have never used that before...I have used putty to telnet and console into a cisco switch but that is about the extent of my experience.

Also, just wanted to report back that last night I went into network map and found the IP address of the cam in question and selected to "block internet access"...well that appears to have killed my access via VPN. I just tried while on break today and that was the only cam that did not show up so I'm thinking it's more than a coincidence that it doesn't work! This is a no go for me as I use VPN to view my cams quite often....I'm just curious if putting in these FW rules (iptables) is going to effect VPN connection as well since it will not allow the cams to make and "outbound" connection?
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top