1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

How to block ip camera from accessing the internet

Discussion in 'Asuswrt-Merlin' started by jtl0101, Jan 10, 2016.

  1. jtl0101

    jtl0101 New Around Here

    Joined:
    Jan 10, 2016
    Messages:
    5
    Hello, I have a IP Camera with some shady software on it. Replacing the camera and system is out of the budget right now so I want to prevent the camera from accessing the internet by using router features.

    I have the latest asuswrt build (Dec 24 2015 I think) and using the Network Service Filter I put each camera and the NVR ip's as the source IP address's and set destination port range to 80 and for protocol i set a rule for TCP and UDP. But I notice that I can still access the internet from a device using ping (ICMP protocol which there is not a setting for). I'm not expert on hacking via the web, so the fact that a device can reach the web via ping but not www lets me know I probably need to do a lot more to achieve my goal.

    How can I use the asuswrt-merlin software to make sure a device with shady software cant be accessed via the WWW, and can't access the WWW? I have the Asus RT-AC66U
     
  2. Andrea F11

    Andrea F11 Occasional Visitor

    Joined:
    Jan 10, 2016
    Messages:
    11
    Hi jtl,
    I am in your same situation!
    I also used Network Service Filter, but i set ">1" value, in both source and destination field to close all ports.
    Unfortunately, it dont work because apparently the camera can reach the web.
    The only solution now it's blocking internet access to camera, in "client menu" from main page. But unfortunately in this way, you can reach the camera only by Lan but NOT by VPN.
     
  3. jtl0101

    jtl0101 New Around Here

    Joined:
    Jan 10, 2016
    Messages:
    5
    Hopefully someone can point us in the right direction. I have done all I can do with the camera softwar. Now that I know the back doors are hard open on their software, I'm only trying to lock the camera out from the internet using router features. I know the quick solution is to put the nvr and camera on their own separate network router with no WAN access, but I'd like to avoid that if possible by learning some software/hardware tricks.
     
  4. Zirescu

    Zirescu Very Senior Member

    Joined:
    Jul 16, 2013
    Messages:
    729
    Location:
    Kelowna, BC
    What happens if you enable the parental options and add the camera in there?
     
  5. coxhaus

    coxhaus Part of the Furniture

    Joined:
    Oct 7, 2010
    Messages:
    3,123
    Location:
    texas
    What if you remove the default gateway? The camera will not be able access the internet without a default gateway.
     
  6. jtl0101

    jtl0101 New Around Here

    Joined:
    Jan 10, 2016
    Messages:
    5
    Thanks Zirescu, that did it for me. Not even ping access anymore.
     
    yk101 likes this.
  7. jtl0101

    jtl0101 New Around Here

    Joined:
    Jan 10, 2016
    Messages:
    5
    Thanks for the tip, I'm not sure how, but my camera auto populates the default gateway. Adding it to parental controls blocked ping UDP/TCP/ICMP
     
    Cake likes this.
  8. ASAT

    ASAT Senior Member

    Joined:
    Jun 5, 2015
    Messages:
    223
    If you completely block the NVR from accessing the Internet, it won't be able to synchronize its clock via NTP. This means your video streams won't show an accurate timestamp. So you might want to not block UDP port 123.

    Most NVR units have an internal network for the cameras that you cannot access directly. However, if you get a root shell on the NVR (via the Console port) then you might be able to login via telnet to the camera. If you are able to get a root shell on the camera itself, you will probably see that the camera cannot access the Internet because the NVR does not allow it. Of course, I could be wrong. What is the camera model? Try Google search for the root or admin password. Or, you might be able to download a firmware update for the camera, unpack it and look for the root password.
     
    Last edited: Jan 10, 2016
  9. jtl0101

    jtl0101 New Around Here

    Joined:
    Jan 10, 2016
    Messages:
    5
    Thanks for the info. The camera's all have different version info stamped on their boxes, and the system info in the firmware conflicts with what is stamped on the box. They are sold by GW Security/CCTV (money poorly spent). All manufacturing information has been removed from the cameras, there are no firmware updates available for the cameras or the NVR they sell. Device id cloud on each camera is configured to a specific address on seetong.com which might give leads to some info about whos behind the manufacturing of the camera.

    I'm no longer doing internal configs on this camera system as it's been a waste of time (one of the cameras switched protocols from ONVIF to HBGK yesterday, recently on system that was setup to record over oldest save I also lost all recordings due to a HDD error....system said it was recording, I tried to view recording and I got an error message, rebooted the system and got a HDD error message, had to format the drive to get access to the drive again, and the list goes on the further I go back in time on a system less than 6 months old). My main goal was to secure the system from WAN access for security reasons and save $$ for another system that I can use with open source software....preferably the whole thing manageable with linux.
     
  10. Calisro

    Calisro Senior Member

    Joined:
    Mar 5, 2015
    Messages:
    324
    Location:
    United States
    If you want to block it, add this to the /jffs/configs/firewall-start

    iptables -I FORWARD 1 -s 10.100.1.16 -o eth0 -p udp --dport 123 -j ACCEPT
    iptables -I FORWARD 2 -s 10.100.1.16 -o eth0 -j DROP

    change the above to the ip of your camera. You may also want to disable UPNP unless you really really need it for something. If you do, then you'll need to add another explicit block for the inbound to that device in the event it sets up a forward with upnp.
     
    Last edited: Jan 11, 2016
  11. Andrea F11

    Andrea F11 Occasional Visitor

    Joined:
    Jan 10, 2016
    Messages:
    11
    Thx Calisro.

    My cameras was setup with static IP.
    I have disabled UPNP both in camera setting and in router.
    I would like to block ALL camera outbound traffic on WAN but i wish i could reach the camera on VPN.
    I though that this could be done with firewall - Packet Filter, but does not work


     
  12. Calisro

    Calisro Senior Member

    Joined:
    Mar 5, 2015
    Messages:
    324
    Location:
    United States
    The iptables commands above only block outbound traffic from the camera. It should be reachable via the vpn.
     
  13. Andrea F11

    Andrea F11 Occasional Visitor

    Joined:
    Jan 10, 2016
    Messages:
    11
    The 123 port remain open so, right?
    I would close all port.

    Other question: as for UDP, should i do the same for TCP?


     
  14. Carlos M.

    Carlos M. Regular Contributor

    Joined:
    Jan 11, 2016
    Messages:
    92
    Location:
    Madrid, Spain
  15. Andrea F11

    Andrea F11 Occasional Visitor

    Joined:
    Jan 10, 2016
    Messages:
    11
    Carlos, if you set "on" the parental control, you can't reach camera via VPN but only via LAN.
     
  16. Calisro

    Calisro Senior Member

    Joined:
    Mar 5, 2015
    Messages:
    324
    Location:
    United States
    I kept 123 open for NTP. I'd bet your camera requires it as stated above. These things usually don't have batteries to store the time so it needs network time. If you really do not want that, then just remove that line.

    iptables -I FORWARD 1 -s 10.100.1.16 -o eth0 -p udp --dport 123 -j ACCEPT
    iptables -I FORWARD 2 -s 10.100.1.16 -o eth0 -j DROP

    All these do is say to block any packets except udp:123 outbound to the internet (across interface eth0). Notice that I am not blocking inbound but as long as you have UPNP OFF and you do not have any explicit port forwards, that is blocked by default.

    VPN goes over tun interfaces so is not blocked.
     
  17. Carlos M.

    Carlos M. Regular Contributor

    Joined:
    Jan 11, 2016
    Messages:
    92
    Location:
    Madrid, Spain
    opps, I just look for block the internet access of my cameras to internet. Just to avoid the image sending by email. :(
     
  18. Andrea F11

    Andrea F11 Occasional Visitor

    Joined:
    Jan 10, 2016
    Messages:
    11
    sorry if I answer only now.

    Calisro I tried to do as you told me it does not work:

    -First i have create firewall-start as below:

    [email protected]:/jffs/configs# cat firewall-start
    iptables -I FORWARD 1 -s 192.168.2.101 -o eth0 -j DROP
    iptables -I FORWARD 2 -s 192.168.2.102 -o eth0 -j DROP
    iptables -I FORWARD 3 -s 192.168.2.103 -o eth0 -j DROP
    iptables -I FORWARD 4 -s 192.168.2.104 -o eth0 -j DROP

    - Then I enabled "JFFS custom scripts and configs" on router (RT-AC68U with 380.57)
    - Finally I rebooted

    After restarting the router crashed and I had to turn it off and on again.

    When it finally started, I assigned the IP 192.168.2.101 to a PC and the browser reached internet.

    what am I doing wrong?



     
  19. john9527

    john9527 Part of the Furniture

    Joined:
    Mar 28, 2014
    Messages:
    6,096
    Location:
    United States
    firewall-start is a script....it needs the shebang as the first line

    #!/bin/sh

    EDIT: and it needs to be placed in /jffs/scripts not /jffs/configs
     
  20. Andrea F11

    Andrea F11 Occasional Visitor

    Joined:
    Jan 10, 2016
    Messages:
    11
    thx john

    Here the changes i made:

    [email protected]:/jffs/scripts# cat firewall-start
    #!/bin/sh
    iptables -I FORWARD 1 -s 192.168.2.101 -o eth0 -j DROP
    iptables -I FORWARD 2 -s 192.168.2.102 -o eth0 -j DROP
    iptables -I FORWARD 3 -s 192.168.2.103 -o eth0 -j DROP
    iptables -I FORWARD 4 -s 192.168.2.104 -o eth0 -j DROP

    a question: i have to do this?
    chmod a+rx /jffs/scripts/firewall-start