Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Good Day All,
My static world IP is 216.xxx.xxx.xx provided by my ISP
My ISP internal IP is 10.xx.xx.xx also provided by my ISP
Internal network uses 192.168.10.x
I have been doing some reading and having a bit of trouble.
I am using Motion for keeping an eye on things when I am not home. I have port 8801 set up to stream. I also have apache2 configured to require a login. I get the prompt from the apache2 server for authentication, login prompt. I can login, get the webpage. I would like to know how to control port 8801 so that the world cannot view the stream. I created an internal webpage with img src links, as well as cambozola. Below are what my rules look like for IPTABLES.
I have found that I need this one in order to do anything. This rule opens up the port, but also to the world. I have tried different variations, but still end up w/ the same problem. World access.
-A tcp_packets -p tcp -m tcp --dport 8801 -j allowed
Here is where I reroute to my internal ip & port
-A PREROUTING -d 10.x.x.x -p tcp -m tcp --dport 8801 -j DNAT --to-destination 192.168.10.90:8801
-A PREROUTING -d 10.x.x.x -p udp -m udp --dport 8801 -j DNAT --to-destination 192.168.10.90:8801
Here is where I forward internally.
-A FORWARD -d 192.168.10.90 -i eth0 -p tcp -m tcp --dport 8801 -j LOG --log-prefix "REDIRECT Motion: "
-A FORWARD -d 192.168.10.90 -i eth0 -p tcp -m tcp --dport 8801 -j ACCEPT
I would like to know if there is a way to view the stream after a successful login?
Here is a copy of some of the html from the index file.
<applet code=com.charliemouse.cambozola.Viewer
archive=cambozola.jar width="320" height="240" style="border-width:1; border-color:gray; border-style:solid;">
<param name=url value="http://216.x.x.x:8801">
</applet>
If more info is needed let me know. This cool stuff, but I get a little lost with iptables. I am not sure if iptables is where I need to do this. I am sure that someone has been through this and can provide some insight.
The only way I can think of is the use stunnel to encrypt the stream on port 8801 and then use stunnel on your client side to authenticate and provide access to the stream.
I wouldnt know how to do that without a whole bunch of research as youd need to configure stunnel to verify the connector as well as the connector verifying the server.
That, or some kind of VPN setup.
To be frank this software you have should provide you with an authentication layer, then you wouldn't be hacking around the problem.
Deleriux,
I thought about openvpn, but wondering why apache or iptables could not handle the task. All that I have read leads me back to your last statement. Motion should provide the authentication. It may, but I have not found out how to do it yet.
I continue to read and tinker....
On the other hand I am happy with Motion. It works well to keep an eye on things, I ftp images off site, get email on my phone when something is detected.
Thanks for adding your thoughts.
Since you may connect from any IP address, ip_tables won't be able to help you other than blocking all connection attempts. You said it ftp's the pictures. You can secure your ftp site with a username & password or use sftp.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.