Well you haven't really provided enough information to be able to help you.
But on the firewall/router machine, you will need to do NAT (Network Address Translation, in this case DNAT, Destination NAT.), which will take a packet (in this case a http request) from the internet, and translate(change) the destination IP address to the Camera's internal IP.
Using iptables, the rule would look something like this (assuming you aren't running any other web servers/etc)...
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination $Camera_IP
iptables -A FORWARD -i $Wan_If -o $LAN_If -p tcp --dport 80 -j ACCEPT
The first rule does the NAT itself, and the second rule will allow it through the firewall. The second rule is only required if your default policy on the filter/FORWARD chain is drop..
For something like this, I would normally recommend securing it by source IP, so only connections from allowed WAN IP address's are allowed, this is not an option with a mobile device which is most likely going to have a dynamic address. In a case such as this, you could also use a non standard port, and modify the DNAT rule in the above example, to forward from dport "12345" to port 80 on the camera IP. This would also mean telling the client to connect using the alternate port.
The issue I see with securing something like this, is not with the firewall, but with the camera itself. How well do you trust the developers of the camera?