upnp wifi camera overwrites manual firewall setting

I have seen something strange happenign on my network. I have configured my firewall manually to open ports 80 and 443 for an internal webserver I am running, including NAT. Everything works fine.

Here is the iptables NAT configruation:

admin@Router:~$ sudo iptables -L -n -v -t nat
Chain PREROUTING (policy ACCEPT 578 packets, 63770 bytes)
 pkts bytes target prot opt in out source destination 
 657 70703 MINIUPNPD all -- * * 0.0.0.0/0 0.0.0.0/0 
 657 70703 UBNT_PFOR_DNAT_HOOK all -- * * 0.0.0.0/0 0.0.0.0/0 
 657 70703 VYATTA_PRE_DNAT_HOOK all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 DNAT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 match-set ADDRv4_eth0 dst /* NAT-1 */ to:192.168.10.50:80
 4 256 DNAT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 match-set ADDRv4_eth0 dst /* NAT-2 */ to:192.168.10.50:443

Chain INPUT (policy ACCEPT 162 packets, 11101 bytes)
 pkts bytes target prot opt in out source destination 

Chain OUTPUT (policy ACCEPT 283 packets, 84981 bytes)
 pkts bytes target prot opt in out source destination 

Chain POSTROUTING (policy ACCEPT 34 packets, 3448 bytes)
 pkts bytes target prot opt in out source destination 
 486 105K UBNT_VPN_IPSEC_SNAT_HOOK all -- * * 0.0.0.0/0 0.0.0.0/0 
 486 105K UBNT_PFOR_SNAT_HOOK all -- * * 0.0.0.0/0 0.0.0.0/0 
 327 29526 VYATTA_PRE_SNAT_HOOK all -- * * 0.0.0.0/0 0.0.0.0/0 
 285 25506 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0 /* NAT-5010 */

Chain MINIUPNPD (1 references)
 pkts bytes target prot opt in out source destination 

Chain UBNT_PFOR_DNAT_HOOK (1 references)
 pkts bytes target prot opt in out source destination 
 273 37641 UBNT_PFOR_DNAT_RULES all -- eth0 * 0.0.0.0/0 0.0.0.0/0 match-set ADDRv4_eth0 dst
 36 2304 UBNT_PFOR_DNAT_RULES all -- eth1 * 0.0.0.0/0 0.0.0.0/0 match-set ADDRv4_eth0 dst

Chain UBNT_PFOR_DNAT_RULES (2 references)
 pkts bytes target prot opt in out source destination 

Chain UBNT_PFOR_SNAT_HOOK (1 references)
 pkts bytes target prot opt in out source destination 
 163 75370 UBNT_PFOR_SNAT_RULES all -- * eth1 0.0.0.0/0 0.0.0.0/0 

Chain UBNT_PFOR_SNAT_RULES (1 references)
 pkts bytes target prot opt in out source destination 
 159 75114 MASQUERADE all -- * eth1 0.0.0.0/0 0.0.0.0/0 match-set NETv4_eth1 src

Chain UBNT_VPN_IPSEC_SNAT_HOOK (1 references)
 pkts bytes target prot opt in out source destination 

Chain VYATTA_PRE_DNAT_HOOK (1 references)
 pkts bytes target prot opt in out source destination 
 657 70703 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 

Chain VYATTA_PRE_SNAT_HOOK (1 references)
 pkts bytes target prot opt in out source destination 
 327 29526 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 
admin@Router:~$

At this point everything is fine and I can access my Webserver from external.

Now I have also enabled upnp and I have a D-Link Wifi camera that uses upnp. When I switch the camera on it overwrites my manual firewall setting with upnp and instead of getting to my WebServer from external I am getting the management interface fromt the camera.

Here is the iptables for NAT after the camera is on:

admin@Router:~$ sudo iptables -L -n -v -t nat
Chain PREROUTING (policy ACCEPT 31 packets, 2478 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    2   128 DNAT       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:192.168.10.189:443
    0     0 DNAT       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:192.168.10.189:80
 1534  149K MINIUPNPD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 1534  149K UBNT_PFOR_DNAT_HOOK  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 1534  149K VYATTA_PRE_DNAT_HOOK  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DNAT       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 match-set ADDRv4_eth0 dst /* NAT-1 */ to:192.168.10.50:80
    5   320 DNAT       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 match-set ADDRv4_eth0 dst /* NAT-2 */ to:192.168.10.50:443

Chain INPUT (policy ACCEPT 16 packets, 1014 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 33 packets, 10340 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 9 packets, 896 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1504  338K UBNT_VPN_IPSEC_SNAT_HOOK  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 1504  338K UBNT_PFOR_SNAT_HOOK  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  960 86865 VYATTA_PRE_SNAT_HOOK  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  789 68829 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0            /* NAT-5010 */

Chain MINIUPNPD (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain UBNT_PFOR_DNAT_HOOK (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  474 61001 UBNT_PFOR_DNAT_RULES  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set ADDRv4_eth0 dst
   37  2364 UBNT_PFOR_DNAT_RULES  all  --  eth1   *       0.0.0.0/0            0.0.0.0/0            match-set ADDRv4_eth0 dst

Chain UBNT_PFOR_DNAT_RULES (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain UBNT_PFOR_SNAT_HOOK (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  551  252K UBNT_PFOR_SNAT_RULES  all  --  *      eth1    0.0.0.0/0            0.0.0.0/0           

Chain UBNT_PFOR_SNAT_RULES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  544  251K MASQUERADE  all  --  *      eth1    0.0.0.0/0            0.0.0.0/0            match-set NETv4_eth1 src

Chain UBNT_VPN_IPSEC_SNAT_HOOK (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain VYATTA_PRE_DNAT_HOOK (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 1534  149K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain VYATTA_PRE_SNAT_HOOK (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  960 86865 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
admin@Router:~$

I don't think upnp devices should be allowed to overwrite manual entered firewall rules should they?

upnp wifi camera overwrites manual firewall setting

Trending Articles

Practice Sheet of Right form of verbs for HSC Students

Download: FK ft Shenky – Nakuyewa ”Prod by: Shenky”

How to win at Markstrat (Markstrat Tips and Tricks) – Vodites

Ominde Commission Report and Recommendations – Ominde Report of 1964

Bureau of Internal Revenue: Regional Offices (Directory)

GO 53 on Enhancement of Ex-gratia upto 5 Lakhs Toddy Tappers in Telangana

Cakewalk CA-2A Leveling Amplifier v2.0.1.97 WiN, v2.0.1.96 OSX Incl Keygen

Mp3 Download: Mdu - Kunjenjenjena

How the kill the job , when DTP request running for long hours.

Microsoft Intune から展開しているアプリのアップデートについて

18-year-old girl was beaten for half an hour by two Northampton men in 'an...

Car crash in Dunton Bassett leaves driver in critical condition

Macky 2, Two Others In Road Accident

Application log 00000000000000089514: Could not convert queue DLVST90CLNT

Detroit mafia: D’Anna Brothers agree to plea deal

Delivery block field greyed out using VA02

Muloraki Au

【個人撮影】スマホのプライベート映像♪「中に出さないで///」カラオケ屋での生ハメ撮りが流出ｗ【リベンジポルノ】＠PornHub

BREAKING NEWS: Diamond Platnumz Is Reported Dead After Ghastly Car Accident

FIAT 500 B0111 B0112