iptables, nat; How do I block camera from the internet

[Sigge]

Not sure where to ask this. Hope it fits here?

I want to block my camera from the internet for the purpose to protect it from outside threat and from phoning home.

I just want to block its MAC. I realize that it will not stop the camera if it is really bad and spoofs a mac.

So, the camera is behind an iptables nat router.

I am thinking:

iptables -A FORWARD -i ethX -m mac --mac-source CAM-MAC-ADDRESS-HERE -j ACCEPT
iptables -A FORWARD -i ethY -m mac --mac-source CAM-MAC-ADDRESS-HERE -j ACCEPT

ethX and Y beeing my two NICs.

When talking to zone-minder, sitting on ethY, it should not end up in FORWARD? Right?

And if it is on its way to or from the internet it will not go to POSTROUTING because of the -j ACCEPT?

Am I thinking strait?

Thanks

[Sigge]

This doesn't work for me.

Looks like MAC address is changed before the FORWARD chain. So -m mac does not make sense here.

[Sigge]

iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE
iptables -A FORWARD -i "external nic" -m mac ! --mac-source "ipcam mac" -o "internal nic" -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i "internal nic" -m mac ! --mac-source ipcam mac" -o "external nic" -j ACCEPT

is not working .......

[Sigge]

iptables -I FORWARD 1 -m mac --mac-source "ipcam mac" -j DROP

Maybe this is the solution? Seems like it is working....

[marcopete87]

does the camera try to connect to internet?
if no: no problem
if yes: have you tried changing gateway in configuration? Repeat step one
if problem persists, disable upnp
if problem persists, you can consider vlans.

[Sigge]

It does try to connect to internet. See:
viewtopic.php?f=14&t=25518
Many cams do.

I run an Ubuntu computer as router so I do not think it has upnp. But is does nat and dhcp for me.

All local devices get their gateway from my dhcp server. Changing the gateway would make the camera unable to talk to zonminder.

Not familiar with vlans but it seems like overkill to me? I would have to program all switches. I have some cheap poe ones that I don´t think support vlan.

iptables -I FORWARD 1 -m mac --mac-source "ipcam mac" -j DROP
This rule seems to work. Any input on that would be greatly appreciated.

[marcopete87]

overkill? Maybe, but it will kill all unwanted traffic in lan (my situation is external lan cables across the house on external wire pipe, this will increase security a bit).
Now, i'm using an budget cisco SG300 (used), i configured private vlans, so camera network can communicate only with my little server (and one diagnostic/configuration port).
Using private vlan, don't require all switches be reconfigured.

Other workaround is to change gateway ip in configuration, but it won't solve your problems.


However, does cameras have an static ip?
If yes, you can simply configure

iptables -I INPUT -s {IP-HERE} -j DROP

note: this must be reloaded at every reboot.

[Sigge]

Well, if you drop at INPUT wont all traffic be blocked? My Zonminer is running on the same computer so I want the camera to talk to it. But not have it´s traffic forwarded to the internet.

That´s why I put the filter at FORWARD.

I am just a bit puzzled as to why it works. At FORWARD mac addresses are already stripped according to some pages. Still my rule seems to work...