Help Please..Need assistance stopping outbound connections!

[Martineau]

PuTTY, MobaXterm, WinSCP, XShell....I thought a good all around app would be the WinSCP because you can do different things within the router system like create files, folders but not sure if it's considered an "editor" so that I can paste in a script?

Yes

WinSCP has an internal Linux compatible editor, so all you need to do is double click a file to edit/view its contents....just like Windows explorer etc.
(I personally have customised WinSCP to tell it to use notepad++ for a better scripting experience etc. but this is not essential)

WinSCP can also open a basic SSH terminal session to the router, or if PuTTY is installed, WinSCP can be customised to invoke PuTTY..useful if PuTTY has a saved logon password .
But feature-wise, Xshell is sooo much better than PuTTY, particularly if you spend a lot of time on the SSH command line i.e. customised shortcut buttons to save you tediously manually retyping a sequence of commands.

So I would create a folder in the configs system area called IPGroups and then create a script called IPCamBlock.sh? Sorry for the confusing questions but I must admit...I am a little confused now that we are not creating the script in the standard firewall-start area.

No idea why you use the term 'area'...'/jffs/configs' and '/jffs/scripts' are folders, and are created by the firmware for both internal ASUS and conveniently your use, so effectively you are only creating files.

That is a very long script....so someone could just copy and paste that entire thing into the system? I would assume some things would need to be changed within the script like IP settings, changing or removing the references to your name, etc?

Yes.

The idea is that you don't need to touch the code once it has been cut'n'pasted into the '/jffs/scripts/IPCamsBlock.sh' file on the router - but sadly cut'n'paste seems to be simply beyond the IT skills of some

Clearly 'Martineau' should be changed/deleted...(along with removing the NTP rule if you have an internal NTP server) but if you are not comfortable with scripting syntax etc., you could break it! so I'd leave it for now...as I may decide to post a tweaked version to include a 'del' function (so might as well remove my trade mark, so you could instantly unblock the cameras to see exactly which sites they are trying to connect to.

 

[Techno]

Yes

WinSCP has an internal Linux compatible editor, so all you need to do is double click a file to edit/view its contents....just like Windows explorer etc.

Got it...I will plan on using WinSCP then!

No idea why you use the term 'area'...'/jffs/configs' and '/jffs/scripts' are folders, and are created by the firmware for both internal (Asus) and conveniently your use, so effectively you are only creating files.

Because I guess I am an idiot...lol I dunno...just had a weak moment I guess! Yes I understand that /jffs/configs and /jffs/scripts are folders created by the Asus firmware. So I am not creating any more folders just "files" under these two folders. Got it.

Could you clarify that I will need to create a file called IPGroups under the /jffs/configs folder as the first thing? And then I create a file called IPCamBlock.sh under the /jffs/scripts folder and paste in the script that you so generously supplied in your last post?[/QUOTE]

The idea is that you don't need to touch the code once it has been cut'n'pasted into the '/jffs/scripts/IPCamBlock.sh' file on the router - but sadly cut'n'paste seems to be simply beyond the IT skills of some

No offense taken I am fairly confident that I can cut'n'paste / copy'n'paste the script into the file once it's created...just trying to get all my pieces together and document step by step how I am going to do this. I get in trouble for being waaaayyyyy to thorough from the spouse as well. The last thing I want to have happen is me be SSH'd in to the router and create a few files and say "now what do I do next"?

Clearly 'Martineau' should be changed/deleted...(along with removing the NTP rule if you have an internal NTP server) but if you are not comfortable with scripting syntax etc., you could break it! so I'd leave it for now...as I may decide to post a tweaked version to include a 'del' function (so might as well remove my trade mark, so you could instantly unblock the cameras to see exactly which sites they are trying to connect to.

That is what I thought...I was just making sure.

 

[Martineau]

Could you clarify that I will need to create a file called IPGroups under the /jffs/configs folder as the first thing? And then I create a file called IPCamBlock.sh under the /jffs/scripts folder and paste in the script that you so generously supplied in your last post?

Install WinSCP , click 'New Site', then set the 'File protocol' for the router connection to SCP...do not use the default SFTP.

Then provide your logon credentials etc. and if you successfully connect you should be presented with two panes...

(Excuse my gaudy background colour, but I support several remote routers, so it helps me remember which one I'm on before hacking the wrong configs/scripts )

Left-pane is a local Windows folder.............Right-pane is the remote router folder.​

HINT: You can drag'n'drop between panes so you can easily create a backup of the router scripts/config files etc. to your local laptop (or quickly restore files, if the router loses its /jffs/ partition etc.)

NOTE: Once you are in the appropriate folder (right-hand pane!) on the router...
Right click and select 'New->File'' (or Shift+F4) and this will open a new blank file (or simply double click an existing file to view/edit).

So if you are in the /jffs/configs folder, then enter 'IPGroups' into the initial dialog that pops up....then type the 'CAMERA' line with your list of camera I/P addresses separated by ',' and save it.

Then navigate to /jffs/scripts, and this time enter 'IPCamsBlock.sh' as the name and paste in the code that I posted.
Save the file then right click the script and select properties (or PF9), and put a 'tick' next to the three 'X' boxes (or type 0755 into the octal box)

Time to test the script, so we need to open a SSH terminal session...so rather than mess around with PuTTY/Xshell5 etc. installs, for the moment let's use the internal WinSCP (console) terminal...

Go to the 'Commands' Menu on the upper top left of the WinSCP window, and select 'Open Terminal' (or CTRL-T) then enter './IPCamsBlock.sh init' into the Console dialog box and hit Enter or press the 'Execute' button in the top right corner.

Re-test using './IPCamsBlock.sh' (and './IPCamsBlock.sh status') to check if the rules are blocking outbound access - wait a few seconds, then click 'Execute' again and you will probably see the counts going up!

Isn't WinSCP brilliant! ...so you can happily create/test/refine/backup your custom scripts with a single tool..normally called an IDE.

So, once the script is working , the camera blocking will be lost if the router is rebooted.
I'll leave it to you to demonstrate what you have learned by completing the final step to ensure the firewall rules are applied @BOOT

 

[Metro]

Thank you! This is amazing! This worked on the very first try and with just a few minutes of work!

I put my own computer in the affected IP range and I couldn't reach/ping/connect to anything outside of the LAN. Thank you again! This is very kind of you.

 

[DarcKnight1892]

@Martineau sorry for jumping on an old thread but this is the exact thing I am looking for as well so I wanted to ask Three quick questions...

1.)
/jffs/configs/IPGroups

CAMERAS  192.168.1.196,  192.168.1.15-192.168.1.20,  192.168.1.50:192.168.1.55

The IP Groups file you made... The ranges in particular, I see the first IP is one IP, the second shows a range separated by a hyphen, while the third looks to be separated by a colon. I have a set of static IP's for my cam's all listed as 192.168.21.110 thru 192.168.21.119 so what would be the correct way to address that range, with a hyphen or colon?

2.) If I were to use that range, would I need to modify the IPCamBlocks.sh script in any way shape or form to address the fact that my range is 192.168.21.XXX? I see a few IP's listed in the script and was curious since i'm still getting used to using editors for scripts.

3.) Whats an easy way to check and see if the scripts are blocking the traffic other than looking at the Active Connections? I read on another forum with regards to the IPTables that if you set it up to DROP and you ping it, it should time out however i've tried pinging from my recording server and the connections worked... Which i know is what i want because otherwise it wouldn't be able to record the footage, but the server is also on the same switch as the cameras on the network. I tried pinging the cameras from my MacBook which is on the same LAN but was connected to the Wifi and the PING still worked. I was under the assumption that using the IPTables and dropping the connection would block anything coming thru the router itself. So with that in mind i'm not sure the script i wrote using the IPTables was correct and i'm looking for another way to test the scripts out.

Any advice would be greatly appreciated.

 

[Martineau]

1.) I have a set of static IP's for my cam's all listed as 192.168.21.110 thru 192.168.21.119 so what would be the correct way to address that range, with a hyphen or colon?

Either it doesn't matter. Many commands usually allow specification of ranges using hyphens, however there are exceptions!

e.g. iptables uses both

iptables -A OUTPUT -p tcp --dport 9000:9006 -m iprange --src-range 192.168.0.1-192.168.0.254  -j ACCEPT

NOTE: In some of my scripts, rather than specify an IP address as an argument I sometimes allow a name (that is subsequently resolved to a IPv4 address format), but if the name contains a hyphen ..well it can get messy in the scripting!

2.) If I were to use that range, would I need to modify the IPCamBlocks.sh script in any way shape or form

No.

3.) Whats an easy way to check and see if the scripts are blocking the traffic other than looking at the Active Connections?

Issue the help command?

Spoiler: IPCamsBlock Help

./IPCamsBlock.sh -h

#=====================================================================================================================
#
# Block unsolicited outbound traffic from the I/P cameras, except for NTP, but still allow viewing via the VPN Servers
#
#          IPCamsBlock     [help|-h] | [init [blockntp]] | [status] | [del]
#
#          IPCamsBlock     init
#                          Create the blocking rules (usually called from /jffs/scripts/firewall-start)
#                          (Assumes /jffs/configs/IPGroups exists with valid 'CAMERAS' entry - Uppercase text!)
#                                    e.g. CAMERAS  10.88.8.10,10.88.8.15-10.88.8.20,10.88.8.50:10.88.8.55
#          IPCamsBlock     init blockntp
#                          Create blocking rules but NTP is also blocked (assumes cameras etc. use LAN NTP server)
#          IPCamsBlock 
#                          Show status of the rules in name form e.g. CAM-L-F1812
#          IPCamsBlock     status
#                          Show status of the rules in I/P form e.g. 10.88.8.10
#          IPCamsBlock     del
#                          Delete the blocking rules (NOTE: If CAMERAS list has changed since rules were created,
#                                 then it won't delete non-matching I/Ps!)
#                       
#
# /jffs/scripts/firewall-start
#      /jffs/scripts/IPCamsBlock.sh init

e.g. To list the statistics by the camera names, issue

./IPCamsBlock.sh

(IPCamsBlock.sh): 32121 v1.01 I/P Cameras Firewall blocking....
num   pkts bytes target     prot opt in     out     source                        destination     
26    1823  139K ACCEPT     udp  --  br0    eth0    anywhere                      anywhere             udp dpt:ntp
27    2151  129K DROP       all  --  br0    !tun2+  CAM-L-JPT3815W.Martineau.lan  anywhere         
28       0     0 DROP       all  --  br0    !tun2+  CAM-W-JPT3815W.Martineau.lan  anywhere         
30       0     0 DROP       all  --  br0    !tun2+  CAM-L-FI9820W.Martineau.lan   anywhere         
31       0     0 DROP       all  --  br0    !tun2+  CAM-W-IPRobot3.Martineau.lan  anywhere         
32    4442  267K DROP       all  --  br0    !tun2+  CAM-W-IP2M841B.Martineau.lan  anywhere         
(IPCamsBlock.sh): 32121 I/P Cameras Firewall blocking status request completed.

or to see the actual IP addresses

./IPCamsBlock.sh status

(IPCamsBlock.sh): 32219 v1.01 I/P Cameras Firewall blocking.... status
num   pkts bytes target     prot opt in     out     source               destination     
26    1825  139K ACCEPT     udp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            udp dpt:123
27    2153  129K DROP       all  --  br0    !tun2+  10.88.8.120          0.0.0.0/0       
28       0     0 DROP       all  --  br0    !tun2+  10.88.8.122          0.0.0.0/0       
30       0     0 DROP       all  --  br0    !tun2+  10.88.8.123          0.0.0.0/0       
31       0     0 DROP       all  --  br0    !tun2+  10.88.8.124          0.0.0.0/0       
32    4442  267K DROP       all  --  br0    !tun2+  10.88.8.125          0.0.0.0/0       
(IPCamsBlock.sh): 32219 I/P Cameras Firewall blocking status request completed.

 

[truglodite]

I like this script Martineau!

A quick newb question from a newb bash scripter who's a bit rusty:
./IPCamBlock.sh doesn't work, /jffs/scripts/IPCamsBlock.sh does. What am I missing, er um, how do I add it to my path? I did chmod +x, and file has 0755 permissions.

Thanks in advance,
Kev

 

[Jack Yaz]

You would need to do

cd /jffs/scripts

to change directory. then ./ will work

 

[truglodite]

I was hoping to add a symlink to my path, similar to how ab-solution is done. Abs doesn't require change directory, or parent directories to run from home.

 

[Jack Yaz]

I was hoping to add a symlink to my path, similar to how ab-solution is done. Abs doesn't require change directory, or parent directories to run from home.

Assuming you have entware, I'll dig out the line to put in /opt/bin

 

[Martineau]

I was hoping to add a symlink to my path, similar to how ab-solution is done. Abs doesn't require change directory, or parent directories to run from home.

Err ab-solution actually installs itself into /opt/bin

Usually, custom scripts that reside in /jffs/scripts/ do not require Entware to be installed for them to execute (although some scripts may need utilities that obviously require Entware to be installed!)

For custom scripts that mandate an installer routine, then creating /opt/bin/ symlinks to /jffs/scripts/ is the lesser of two evils (in my opinion )
e.g.

ln -s /jffs/scripts/IPCamsBlock.sh /opt/bin

but if you have to logon to the router via SSH, (to execute/write/test a new script) then it is probably simpler to use a terminal program such as Xshell5 that allows you to define and subsequently auto execute a logon script to place you in /jffs/scripts/ but sadly you still need to prefix a script execution with either './' or 'sh'

There are other options such as creating profile 'alias' shortcut commands etc. for convenience, but personally, I find the use of Xshell5's macro buttons (16 max?) more than adequate to provide time-saving access to frequently executed custom scripts such as nvram-save etc.

 

[truglodite]

Yeah ab-solution does a lot of things that require trust, but I figure I can trust it.

I am using putty to login ssh mostly for execution, but winscp is just too easy to pass up for editing. I often have both open at the same time when I'm working on scripts. I'll look in to Xshell5 and alias shortcuts to further my knowledge. Alternatively, could I put some line in /jffs/configs/profile.add like:

ipcamsblock() /jffs/scripts/IPCamsBlock.sh $1

?
Kev

 

[Martineau]

Alternatively, could I put some line in /jffs/configs/profile.add like:

ipcamsblock() /jffs/scripts/IPCamsBlock.sh $1

?

Of course.

Note, WinSCP's command window will retain a pulldown list of previous commands, so you could continue to use a single tool such as WinSCP, providing the script/command you wish to execute is compatible.

 

[truglodite]

Perfect, thanks!

The winscp cli tool doesn't work well with interactive scripts, or at least I haven't found the settings to display stdout. That's why I also use putty; I sometimes use it for embedded stuff too (though realterm is better for pure serial stuff).

Kev

 

[Martineau]

The winscp cli tool doesn't work well with interactive scripts...

Err that's what I meant by posting the caveat "providing the script/command you wish to execute is compatible" i.e. ab-solution is an example of an incompatible script! correctly

 

[haha2005]

Hi Martineau,

Thank you for sharing your script. It works wonderful for VPN. Could you please show me how to edit the script to allow outbound on certain ports (listed in port forwarding)? I recently dropped my VPN service and I could not access my cameras via third party apps such as tinycam.

Thank you in advance for your help.




QUOTE="Martineau, post: 314828, member: 13215"]Install WinSCP , click 'New Site', then set the 'File protocol' for the router connection to SCP...do not use the default SFTP.

Then provide your logon credentials etc. and if you successfully connect you should be presented with two panes...

View attachment 8832​

(Excuse my gaudy background colour, but I support several remote routers, so it helps me remember which one I'm on before hacking the wrong configs/scripts )

Left-pane is a local Windows folder.............Right-pane is the remote router folder.​

HINT: You can drag'n'drop between panes so you can easily create a backup of the router scripts/config files etc. to your local laptop (or quickly restore files, if the router loses its /jffs/ partition etc.)

NOTE: Once you are in the appropriate folder (right-hand pane!) on the router...
Right click and select 'New->File'' (or Shift+F4) and this will open a new blank file (or simply double click an existing file to view/edit).

So if you are in the /jffs/configs folder, then enter 'IPGroups' into the initial dialog that pops up....then type the 'CAMERA' line with your list of camera I/P addresses separated by ',' and save it.

Then navigate to /jffs/scripts, and this time enter 'IPCamsBlock.sh' as the name and paste in the code that I posted.
Save the file then right click the script and select properties (or PF9), and put a 'tick' next to the three 'X' boxes (or type 0755 into the octal box)

Time to test the script, so we need to open a SSH terminal session...so rather than mess around with PuTTY/Xshell5 etc. installs, for the moment let's use the internal WinSCP (console) terminal...

Go to the 'Commands' Menu on the upper top left of the WinSCP window, and select 'Open Terminal' (or CTRL-T) then enter './IPCamsBlock.sh init' into the Console dialog box and hit Enter or press the 'Execute' button in the top right corner.

Re-test using './IPCamsBlock.sh' (and './IPCamsBlock.sh status') to check if the rules are blocking outbound access - wait a few seconds, then click 'Execute' again and you will probably see the counts going up!

Isn't WinSCP brilliant! ...so you can happily create/test/refine/backup your custom scripts with a single tool..normally called an IDE.

So, once the script is working , the camera blocking will be lost if the router is rebooted.
I'll leave it to you to demonstrate what you have learned by completing the final step to ensure the firewall rules are applied @BOOT[/QUOTE]

 

[Martineau]

Could you please show me how to edit the script to allow outbound on certain ports (listed in port forwarding)? I recently dropped my VPN service and I could not access my cameras via third party apps such as tinycam.

Whilst it is (lazily) convenient to expose the home IP Cameras to the WAN via Port Forwarding, it is an unnecessary security risk, particularly if you access the IP cameras remotely using the 'admin' account/password.

Starting a VPN tunnel connection to your router BEFORE accessing the home IP cameras is extremely secure (using certificates) and is the preferred/recommended remote access method and despite their web page stating that you NEED to setup Port Forwarding rules, 'tinyCam FREE' does work over a VPN tunnel.

(NOTE: On Android phones, I believe a 'Tasker' profile can be written that will automatically establish the VPN connection each time the 'tinyCam/IP Cam Viewer' etc. utility is initiated)

However, if you still wish to modify IPCamsBlock.sh to allow the home IP Cameras to be viewed remotely via either a secure VPN or Port Forward WAN connection, then modify the existing firewall rule creation code as follows:

Firewall $ACTION FORWARD -s $CAMERA -i br0 ! -o tun2+ -j DROP

change to

Firewall $ACTION FORWARD -s $CAMERA -i br0 -o $(nvram get wan0_ifname) -m state --state NEW -j DROP
Firewall $ACTION FORWARD -s $CAMERA -i br0 -o tun2+ -j ACCEPT

The two rules should now explicitly block the IP camera from initiating a new outbound WAN session (but implicitly allow outbound WAN IP camera traffic in response to an initiated inbound request via any Port Forward) and still allow outbound IP camera traffic via either of the VPN servers.

 

[Goran]

Hi @Martineau.
I am trying to instal your script with add for enabled UPnP (https://www.snbforums.com/threads/h...cessing-the-internet.29693/page-3#post-329775)
You are referring to change line 184 but your script (https://www.snbforums.com/threads/h...outbound-connections.38086/page-2#post-314785) has 183 lines?
Line to be changed:

Firewall $ACTION FORWARD $FWRULENO -s $CAMERA -i br0 ! -o tun2+ -j $JUMP

is not present in that script.
IPCamsBlock.sh script version is v1.01, am I missing newer version?

 

[Martineau]

Hi @Martineau.
I am trying to instal your script with add for enabled UPnP (https://www.snbforums.com/threads/h...cessing-the-internet.29693/page-3#post-329775)
You are referring to change line 184 but your script (https://www.snbforums.com/threads/h...outbound-connections.38086/page-2#post-314785) has 183 lines?
Line to be changed:

Firewall $ACTION FORWARD $FWRULENO -s $CAMERA -i br0 ! -o tun2+ -j $JUMP

is not present in that script.
IPCamsBlock.sh script version is v1.01, am I missing newer version?

Abject apologies.

I believe for v1.01 the line number should be 151?

and the Line to be changed should read.

Firewall $ACTION FORWARD -s $CAMERA -i br0 ! -o tun2+ -j $JUMP

I do tweak my scripts, but I try to resist the temptation to publish them in old threads unless they actually fix an error.
NOTE: All later (unpublished) versions simply ensure that the rules are always inserted in a known position in the iptables processing order, hence the use of the $FWRULENO variable.

 

[Goran]

NOTE: All later (unpublished) versions simply ensure that the rules are always inserted in a known position in the iptables processing order, hence the use of the $FWRULENO variable.

Can you publish the latest version (with add for enabled UPnP) ?
Thank you.