Menu
What's new
By:
Filters Better Search

Iptables block access for IP Cameras with exceptions

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

NomisGnos

NomisGnos

New Around Here
Hello long time lurker first time poster. Community here is awesome!

I have an ASUS 3100 wireless router and about 4 IP Cameras. On my old router it was easy to block outgoing traffic so that I can make sure the cameras weren't "calling home". I want to do the same thing with this router so I decided first I use the port forwarding tool and then I started looking up IPTABLES.

My goal:
  1. By default block outgoing and incoming traffic for 192.168.1.0/29
  2. Exception: I want to open 120:130 BUT for only a handful of trusted IPs (work or a friends house). Lets say those IPs are 150.150.150.150 and 250.250.250.0/24 (I use a browser to access these ports, not that probably matters anyways) so if I wanted to access CAMERA #2 it would be DDNS.dns.com:121
  3. Exception: The cameras send out emails via SMTPS (port 465) so I want to open that up so that it can send out the emails.
  4. Don't want to block INPUTS/OUTPUTS since I have some IoT stuff that communicate somewhere else , so I don't want to change default policy to block that. Unless I am misunderstanding how that works.
I flashed the router with the latest Asuswrt-Merlin and turned on JFFS custom scripts. I created a file under
Code: 
/jffs/scripts/
called
Code: 
firewall-start
. I edited the file starting with shebang and added some rules (will get back to this later). I used
Code: 
service restart_firewall
. The problem I am getting into is that I am not getting the appropriate results and it is very possible that I am writing the rules wrong and/or maybe the order.

I tried iptables forward, I tried iptables INPUT & OUTPUT, and I tried a combination of "INSERT" / "APPEND" and for some odd reason it will either BLOCK everything or leave it OPEN completely. It never follows my ultimate goal. I am sure it has to do with some order or default rules for FORWARD or INPUT or OUTPUT but I just cant figure it out.

I need some experts to help me out. Here is my existing iptable as of right now:

Code: 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
DROP       all  --  anywhere             anywhere             state INVALID
PTCSRVWAN  all  --  anywhere             anywhere
PTCSRVLAN  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             state NEW
ACCEPT     all  --  anywhere             anywhere             state NEW
OVPN       all  --  anywhere             anywhere             state NEW
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc
INPUT_ICMP  icmp --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
other2wan  all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere             state INVALID
ACCEPT     all  --  anywhere             anywhere
NSFW       all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT
OVPN       all  --  anywhere             anywhere             state NEW
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain ACCESS_RESTRICTION (0 references)
target     prot opt source               destination

Chain FUPNP (0 references)
target     prot opt source               destination

Chain INPUT_ICMP (1 references)
target     prot opt source               destination
RETURN     icmp --  anywhere             anywhere             icmp echo-request
RETURN     icmp --  anywhere             anywhere             icmp timestamp-request
ACCEPT     icmp --  anywhere             anywhere

Chain NSFW (1 references)
target     prot opt source               destination

Chain OVPN (2 references)
target     prot opt source               destination

Chain PControls (0 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain PTCSRVLAN (1 references)
target     prot opt source               destination

Chain PTCSRVWAN (1 references)
target     prot opt source               destination

Chain SECURITY (0 references)
target     prot opt source               destination
RETURN     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
DROP       tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/SYN
RETURN     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
DROP       tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/RST
RETURN     icmp --  anywhere             anywhere             icmp echo-request limit: avg 1/sec burst 5
DROP       icmp --  anywhere             anywhere             icmp echo-request
RETURN     all  --  anywhere             anywhere

Chain default_block (0 references)
target     prot opt source               destination

Chain logaccept (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "ACCEPT "
ACCEPT     all  --  anywhere             anywhere

Chain logdrop (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "DROP "
DROP       all  --  anywhere             anywhere

Chain other2wan (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Thanks in advance!
 
Last edited:
You must log in or register to reply here.

Similar threads

v.y.k
iptables pkts & bytes numbers are too low on Merlin 3004.388
Replies
13
Views
688
v.y.k
v.y.k
L
merlin default iptables. why are there strange logdrops for specific pattens and ips?
Replies
3
Views
759
ColinTaylor
C
A
Policy-based port routing to bypass NordVPN client
Replies
10
Views
1K
Don->
D
octopus
  • Locked
Solved Can you connect to Wireguard server from wan side?
Replies
17
Views
1K
octopus
octopus
M
AdGuardHome IPTables blocking TLS port 853 from other hosts
Replies
3
Views
285
dave14305
dave14305
Similar threads
Thread starter Title Forum Replies Date
SkierInAvon Asus Merlin - iptables command (not working?) Asuswrt-Merlin 8
v.y.k iptables pkts & bytes numbers are too low on Merlin 3004.388 Asuswrt-Merlin 13
M iptables module rateest - loadbalancing split over Asuswrt-Merlin 0
A Entware iptables no chain/target/match and tcpdump problems Asuswrt-Merlin 3
Z wgclient-start with iptables nat rules after router reboot Asuswrt-Merlin 19
H Does VPN Director Use Routes or IPTables Rules To Route Clients Over a VPN Connection? Asuswrt-Merlin 5
H Does firewall-start Script Ever Run Twice With Same iptables Rules? Asuswrt-Merlin 13
L merlin default iptables. why are there strange logdrops for specific pattens and ips? Asuswrt-Merlin 3
NoBenefit Does my iptables looks normal? Asuswrt-Merlin 1
J Allowing just one device to subnet (iptables or Network Services Filter?) Asuswrt-Merlin 0

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 969 (members: 10, guests: 959)
Top