Good Day All,
My static world IP is 216.xxx.xxx.xx provided by my ISP
My ISP internal IP is 10.xx.xx.xx also provided by my ISP
Internal network uses 192.168.10.x
I have been doing some reading and having a bit of trouble.
I am using Motion for keeping an eye on things when I am not home. I have port 8801 set up to stream. I also have apache2 configured to require a login. I get the prompt from the apache2 server for authentication, login prompt. I can login, get the webpage. I would like to know how to control port 8801 so that the world cannot view the stream. I created an internal webpage with img src links, as well as cambozola. Below are what my rules look like for IPTABLES.

I have found that I need this one in order to do anything. This rule opens up the port, but also to the world. I have tried different variations, but still end up w/ the same problem. World access.
-A tcp_packets -p tcp -m tcp --dport 8801 -j allowed

Here is where I reroute to my internal ip & port
-A PREROUTING -d 10.x.x.x -p tcp -m tcp --dport 8801 -j DNAT --to-destination 192.168.10.90:8801
-A PREROUTING -d 10.x.x.x -p udp -m udp --dport 8801 -j DNAT --to-destination 192.168.10.90:8801

Here is where I forward internally.
-A FORWARD -d 192.168.10.90 -i eth0 -p tcp -m tcp --dport 8801 -j LOG --log-prefix "REDIRECT Motion: "
-A FORWARD -d 192.168.10.90 -i eth0 -p tcp -m tcp --dport 8801 -j ACCEPT

I would like to know if there is a way to view the stream after a successful login?
Here is a copy of some of the html from the index file.
<applet code=com.charliemouse.cambozola.Viewer
archive=cambozola.jar width="320" height="240" style="border-width:1; border-color:gray; border-style:solid;">
<param name=url value="http://216.x.x.x:8801">
</applet>

<!applet code=com.charliemouse.cambozola.Viewer
archive=cambozola.jar width="320" height="240" style="border-width:1; border-color:gray; border-style:solid;">
<!param name=url value="http://10.x.x.x:8801">
<!/applet>


<applet code=com.charliemouse.cambozola.Viewer
archive=cambozola.jar width="320" height="240" style="border-width:1; border-color:gray; border-style:solid;">
<param name=url value="http://192.168.10.90:8801">
</applet>


<br />
<img src="http://216.x.x.x:8801/" width="320" height="240" />
<!img src="http://10.x.x.x:8801/" width="320" height="240" />
<img src="http://192.168.10.90:8801/" width="320" height="240" />

If more info is needed let me know. This cool stuff, but I get a little lost with iptables. I am not sure if iptables is where I need to do this. I am sure that someone has been through this and can provide some insight.

Thanks,

The only way I can think of is the use stunnel to encrypt the stream on port 8801 and then use stunnel on your client side to authenticate and provide access to the stream.

I wouldnt know how to do that without a whole bunch of research as youd need to configure stunnel to verify the connector as well as the connector verifying the server.

That, or some kind of VPN setup.

To be frank this software you have should provide you with an authentication layer, then you wouldn't be hacking around the problem.

Deleriux,
I thought about openvpn, but wondering why apache or iptables could not handle the task. All that I have read leads me back to your last statement. Motion should provide the authentication. It may, but I have not found out how to do it yet.
I continue to read and tinker....
On the other hand I am happy with Motion. It works well to keep an eye on things, I ftp images off site, get email on my phone when something is detected.
Thanks for adding your thoughts.

Regards,
Ron

Since you may connect from any IP address, ip_tables won't be able to help you other than blocking all connection attempts. You said it ftp's the pictures. You can secure your ftp site with a username & password or use sftp.