Posted: Mon Sep 19, 2022 15:42 Post subject: [SOLVED]iptables, block all traffic but allow VPN and NTP
Hello all,
unfortunately I am stuck with iptables
I would like to block all traffic from and to a specific IP in my network, but allow the traffic via VPN as well as allow NTP.
The device is a IP Camera. Block all traffic but allow watching the video Stream via VPN and allow NTP.
Unfortunately I constantly get a fail when trying to sync the time in the camera.
Code:
iptables -t nat -I POSTROUTING -s 192.168.66.0/24 -o ppp0 -j MASQUERADE
iptables -I FORWARD -s 192.168.1.15 -o ppp0 -j REJECT
iptables -A INPUT -p ALL -s at.pool.ntp.org -j ACCEPT
iptables -A INPUT -p ALL -d at.pool.ntp.org -j ACCEPT
iptables -A OUTPUT -p ALL -s at.pool.ntp.org -j ACCEPT
iptables -A OUTPUT -p ALL -d at.pool.ntp.org -j ACCEPT
The first is VPN, the second is the camera, but I constantly get a fail when trying the time sync. I also tried with -p udp --dport 123 (and dport) but no success
IPSET _________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio
I already had this in my iptables but deleted it because I saw no difference.
However: I still struggle with blocking all traffic to the specific IP adresses but allow NTP. Blocking traffic works, but allowing NTP to pass does not. I constantly get an error from the camera interface telling me the NTP time sync was not possible. If I delete the blocking of the camera IP adress it works obviously
Joined: 18 Mar 2014 Posts: 12812 Location: Netherlands
Posted: Mon Sep 19, 2022 18:00 Post subject:
Your build is old and outdated and has security issues.
Upgrading to a recent build e.g. 50176 is highly recommended.
Coming from such an old build a reset to defaults *after* upgrade is also highly recommended.
Put settings in manually, never restore from a backup (to a different build)
If your camera wants to connect to an NTP server, you can allow that port to go out:
iptables -I FORWARD -s 192.168.1.15 -p udp --dport 123 -j ACCEPT
This rule has to come after the first rule I send.