[lenovomen]

Hello,

How can I disable PORT usage on one or more local networks (e.g. 192.168.1.1, 192.168.2.1 etc.)? I would like to disable port 80 21 and 23 for all devices and users (everyone) participating in network segments.

[eibgrad]

I presume you're referring to these input ports on the router itself on the LAN side.

Presumably you want at least the router admin to have access, don't you? And from which IP might that be?

[lenovomen]

I want no one on the network to have access to these ports, not even the administrator. Each network belongs to br0 the subnets can see each other's devices. I want no one to be able to telnet and ssh to their devices.

[eibgrad]

Add the following to the firewall script.

[lenovomen]

There are 4 networks. 192.168.2.1, 192.168.2.1, 192.168.3.1, 192.168.4.1. If a camera is connected to network 2 192.168.2.300, it is accessible from all networks, so if someone opens an SSH connection in the putty, they can reach it. I entered the code in Administration --> Commands console, but it didn't disable SSH, it still allows the connection.

[the-joker]

@eibgrad suggestion assumes br0 which is the only default bridge, if you have different setup you need to adjust accordingly to suit.

Perhaps you should show a screenshot of the Networking page and anything relating to your networks setup bridge wise.

[lenovomen]

I attached my network settings

[lenovomen]

Default bridge

[the-joker]

So you need in principle

[dale_gribble39]

If you're trying to block access to IP cameras, that is a different set of rules. Also, to block access to the router webUI via any other interface that is connected to br0, you should use ebtables instead of iptables. The only requirement is insmod'ing the required ebtables kernel modules in your firewall script. It sounds like you want to block access to or from client devices. The picture is somewhat unclear now from the original premise.

Disable Wireless Access To WebUI not working

[lenovomen]

"If you're trying to block access to IP cameras"
-> Yes, I want to disable it, but only ports 22 and 23. I want it to be accessible only through the web port 443 for all connected devices.

"Also, to block access to the router webUI via any other interface"
-> This was just an idea to force e.g. the web interface of the camera to load only via https.




Code:
iptables -I INPUT -i br0 -p tcp -m multiport --dport 21,23,80 -j REJECT
iptables -I INPUT -i br0 -p udp -m multiport --dport 21,23,80 -j REJECT
iptables -I INPUT -i wlan0.1 -p tcp -m multiport --dport 21,23,80 -j REJECT
iptables -I INPUT -i wlan0.1 -p udp -m multiport --dport 21,23,80 -j REJECT

-> I tried the code. I can still get the camera ip address via SSH with putty. 192.168.3.100

[the-joker]

Is there no way to disable SSH on the camera itself?

[lenovomen]

I changed to the IPTABLE and got this error: "kernel doesen't support the ebtables".

What could be the problem?

[lenovomen]

"Is there no way to disable SSH on the camera itself?"
--> No, unfortunately it is not possible to disable that feature.

[dale_gribble39]

You've been asked to give router and build information in at least one other thread. Not knowing what router you are using or build or kernel involved, it could be that either you didn't insmod the ebtables modules or that the kernel doesn't have any ebtables functionality compiled in or available. You have to insert the required ebtables modules, otherwise the rules do not work. They are not compiled into the kernel by default. Also, my recommendation is wired IP cameras with their own managed switch.