What's new

firewall-start - tentative script

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Mathieu

Regular Contributor
Hi everyone
I am the proud owner of 2 cheap ipcams, made in China and notorious for causing all sort of security issues.
I also intend to save in the cloud whatever those would capture, using a paid-for cloud service.
I understand there is a need to open ports on my firewall, and the cloud service has provided me a list of servers (and ports) through which it can communicate with the cams. What I am trying to achieve is that only traffic to and from the servers in the list can be allowed. As a bonus I would also want the cameras to be prevented from communicating with any IP address that wouldn't be in the list.

I am thinking of having the following 'script' added to the firewall-start custom file, and am eager to hear critics / suggestions from those in the know (that would be you). Thank you...

#!/bin/bash

# Populate an array of known servers
ServerList=(aaa.aaa.aaa.aaa
bbb.bbb.bbb.bbb
...
zzz.zzz.zzz.zzz)

# I want to only allow the above servers (cloud storage) to access the lan through either [PortA] or [PortB]
# and direct the traffic to clients [Internal_IP_A] and [Internal_IP_B] (IP Cams), respectively
for ip in "${ServerList[@]}
do
# Allow incoming traffic
iptables -I INPUT -s $ip -p tcp --dport [PortA] -j ACCEPT
iptables -I INPUT -s $ip -p tcp --dport [PortB] -j ACCEPT
# Redirect to internal client and send traffic back
iptables -t nat -A PREROUTING -p tcp --dport [PortA] -j DNAT --to-destination [Internal_IP_A]
iptables -t nat -A POSTROUTING -p tcp -d [Internal_IP_A] -j SNAT --to-source $ip
iptables -t nat -A PREROUTING -p tcp --dport [PortB] -j DNAT --to-destination [Internal_IP_B]
iptables -t nat -A POSTROUTING -p tcp -d [Internal_IP_B] -j SNAT --to-source $ip
done
 
That doesn't look right. But before going into why, can you confirm what you want to achieve. It looks like you want to allow the cloud service to access the cameras directly. I'd have thought that you would want it the other way around, with the cameras accessing the cloud service?
 
Hi Colin
In layman's terms, I would need the cameras to be able to 'stream' to the cloud, but I suspect (infer?) that the opposite is true, too, as the service should allow me to gain access to the camera for live images, through the clous' servers. I appreciate this might probably be a slightly delay live view, simply accessing the most recently backed up pics...
 
Can you describe how the cloud part of this setup is meant to work (particularly with regards to the live viewing). Is it some sort of VPS?

EDIT: It sounds to me like you simply want to send the video files created by the cameras to some sort of cloud storage service, e.g. dropbox, onedrive, etc.. And then if you need to you can view the uploaded files when away from home by logging into the cloud account and viewing the file. If that is the case then you don't need any scripts at all, you can just use the router's Network Services Filter.
 
Last edited:
They claim to be "an online host for streaming and storing compatible cameras and VR system footage to the cloud. Our platform offers an easy method of viewing and reviewing your recorded footage from anywhere in the world via our website or mobile app."
They don't get more specific. If there were more technical specs you'd like to know about, I will certainly raise them with the Cust support team.

Edit : changed 'Cost' for 'Cust'
 
I can't begin to guess how that works as I don't know anything about your cameras or the cloud service. I would assume that if you tell them what cameras you have they will let you know what changes, if any, need to be done on the router.
 
Thank you Colin. I will post any further developments.
 
OK I think I've found the cloud service you're referring to. They seem to assume that most people's cameras are running RTSP servers on port 554 and that is what they need you to port-forward on your router. Is that what your cameras use? Out of interest how many of their server addresses did they give you? If it's not that many you could just use the normal router menus to do that.
 
Yes that is the material I use. There are currently 30-odd cloud storage servers, but some may be added/deleted along the way, which could be tedious to maintain. That's why I thought of a script looping through a list that could be easily compared to current set up and amend it as necessary.

As I see it, I should make sure that:
-the cams are on a separate guest network and MAC filtered
-no inbound traffic other than from the server list should be permitted (as for outbound traffic, there's probably no need for any of it, contrary to what I thought at first),
-allow the relevant ports to be opened, but only for the cameras internal IPs, (or the whole of the dedicated guest network)...
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top