Not sure where to ask this. Hope it fits here?
I want to block my camera from the internet for the purpose to protect it from outside threat and from phoning home.
I just want to block its MAC. I realize that it will not stop the camera if it is really bad and spoofs a mac.
So, the camera is behind an iptables nat router.
I am thinking:
iptables -A FORWARD -i ethX -m mac --mac-source CAM-MAC-ADDRESS-HERE -j ACCEPT
iptables -A FORWARD -i ethY -m mac --mac-source CAM-MAC-ADDRESS-HERE -j ACCEPT
ethX and Y beeing my two NICs.
When talking to zone-minder, sitting on ethY, it should not end up in FORWARD? Right?
And if it is on its way to or from the internet it will not go to POSTROUTING because of the -j ACCEPT?
Am I thinking strait?
Thanks
iptables, nat; How do I block camera from the internet
Re: iptables, nat; How do I block camera from the internet
This doesn't work for me.
Looks like MAC address is changed before the FORWARD chain. So -m mac does not make sense here.
Looks like MAC address is changed before the FORWARD chain. So -m mac does not make sense here.
Re: iptables, nat; How do I block camera from the internet
iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE
iptables -A FORWARD -i "external nic" -m mac ! --mac-source "ipcam mac" -o "internal nic" -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i "internal nic" -m mac ! --mac-source ipcam mac" -o "external nic" -j ACCEPT
is not working .......
iptables -A FORWARD -i "external nic" -m mac ! --mac-source "ipcam mac" -o "internal nic" -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i "internal nic" -m mac ! --mac-source ipcam mac" -o "external nic" -j ACCEPT
is not working .......
Last edited by Sigge on Tue May 09, 2017 8:52 am, edited 1 time in total.
Re: iptables, nat; How do I block camera from the internet
iptables -I FORWARD 1 -m mac --mac-source "ipcam mac" -j DROP
Maybe this is the solution? Seems like it is working....
Maybe this is the solution? Seems like it is working....
-
- Posts: 40
- Joined: Wed Dec 04, 2013 4:53 pm
Re: iptables, nat; How do I block camera from the internet
does the camera try to connect to internet?
if no: no problem
if yes: have you tried changing gateway in configuration? Repeat step one
if problem persists, disable upnp
if problem persists, you can consider vlans.
if no: no problem
if yes: have you tried changing gateway in configuration? Repeat step one
if problem persists, disable upnp
if problem persists, you can consider vlans.
Re: iptables, nat; How do I block camera from the internet
It does try to connect to internet. See:
viewtopic.php?f=14&t=25518
Many cams do.
I run an Ubuntu computer as router so I do not think it has upnp. But is does nat and dhcp for me.
All local devices get their gateway from my dhcp server. Changing the gateway would make the camera unable to talk to zonminder.
Not familiar with vlans but it seems like overkill to me? I would have to program all switches. I have some cheap poe ones that I don´t think support vlan.
iptables -I FORWARD 1 -m mac --mac-source "ipcam mac" -j DROP
This rule seems to work. Any input on that would be greatly appreciated.
viewtopic.php?f=14&t=25518
Many cams do.
I run an Ubuntu computer as router so I do not think it has upnp. But is does nat and dhcp for me.
All local devices get their gateway from my dhcp server. Changing the gateway would make the camera unable to talk to zonminder.
Not familiar with vlans but it seems like overkill to me? I would have to program all switches. I have some cheap poe ones that I don´t think support vlan.
iptables -I FORWARD 1 -m mac --mac-source "ipcam mac" -j DROP
This rule seems to work. Any input on that would be greatly appreciated.
-
- Posts: 40
- Joined: Wed Dec 04, 2013 4:53 pm
Re: iptables, nat; How do I block camera from the internet
overkill? Maybe, but it will kill all unwanted traffic in lan (my situation is external lan cables across the house on external wire pipe, this will increase security a bit).
Now, i'm using an budget cisco SG300 (used), i configured private vlans, so camera network can communicate only with my little server (and one diagnostic/configuration port).
Using private vlan, don't require all switches be reconfigured.
Other workaround is to change gateway ip in configuration, but it won't solve your problems.
However, does cameras have an static ip?
If yes, you can simply configure
iptables -I INPUT -s {IP-HERE} -j DROP
note: this must be reloaded at every reboot.
Now, i'm using an budget cisco SG300 (used), i configured private vlans, so camera network can communicate only with my little server (and one diagnostic/configuration port).
Using private vlan, don't require all switches be reconfigured.
Other workaround is to change gateway ip in configuration, but it won't solve your problems.
However, does cameras have an static ip?
If yes, you can simply configure
iptables -I INPUT -s {IP-HERE} -j DROP
note: this must be reloaded at every reboot.
Re: iptables, nat; How do I block camera from the internet
Well, if you drop at INPUT wont all traffic be blocked? My Zonminer is running on the same computer so I want the camera to talk to it. But not have it´s traffic forwarded to the internet.
That´s why I put the filter at FORWARD.
I am just a bit puzzled as to why it works. At FORWARD mac addresses are already stripped according to some pages. Still my rule seems to work...
That´s why I put the filter at FORWARD.
I am just a bit puzzled as to why it works. At FORWARD mac addresses are already stripped according to some pages. Still my rule seems to work...