Configure Fedora (PC Gateway) to access DVR from Internet

simke · 09-23-2008, 12:28 AM

G'day. I need help on the above mentioned!
My Internet Gateway PC runs on Fedora 9, it has 2 network cards:
eth0=192.168.0.1 (inside)
eth1=192.168.1.2 (outside)
My ADSL modem ip is 192.168.1.1 (connected to eth1 above).
All my networked PCs static ip starts from 192.168.0.100 to 192.168.0.199, dynamic ip starts from 192.168.0.200 to 192.168.0.254, Gateway ip is 192.168.0.1.
Recently installed cctv with a DVR recorder. The DVR ip is 192.168.0.190, web port=1500, command port=9000, stream port=9001.
From internal networked PC, to access the DVR, we type in http://192.168.0.190:1500 (no problem to access).
From the Internet, to access the DVR, we type in http://sinaran.dyndns.org:1500 (could not access at all).
Could someone please guide me on how to configure my Fedora 9 in order to access the DVR from the Internet?
Thank you.

OdinnBurkni · 09-28-2008, 04:51 AM

Hi there.
I'm not sure if I can help but let's try.
What you need, I haven't used dyndns though, is a portforward in your iptable. What I do is I use a custom script so it's easy to impliment on a new system. I'll put the code here:

Code:

#!/bin/bash

####################
# Here we create names and connect it to interfaces and subnets
# then we don't have to change IP here and there, just all in one place
# Because of that we can use this as a template, only one place to
# change.

LAN1="eth1"
#LAN2="eth2"
#LAN3="eth3"
WAN="eth0"
VPN1="ipsec0"
LAN_SUB1="192.168.1.0/24"
#LAN_SUB2="192.168.2.0/24"
#LAN_SUB3="192.168.3.0/24"
VPN_SUB1="192.168.10.0/24"
WANIP1="xxx.xxx.xxx.xxx"
#WANIP2=

####################
# What is left:
# * Reject everything, not just tcp connections
# *

modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ip_nat_irc

iptables -Z             # Reset counters

iptables -t filter -F   # clear filter table
iptables -t filter -X

iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD DROP

iptables -t nat -F      # clear nat table
iptables -t nat -X

iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT

####################
# Packet spoofing protection
iptables -t filter -N EVILNETS
iptables -t filter -A EVILNETS -s 192.168.0.0/16	-j REJECT
iptables -t filter -A EVILNETS -s 10.0.0.0/8		-j REJECT
iptables -t filter -A EVILNETS -s 172.16.0.0/20		-j REJECT

# Kill "standard-evil" stuff
iptables -t filter -N STDEVILSTUFF
iptables -t filter -A STDEVILSTUFF -p igmp		-j REJECT
iptables -t filter -A STDEVILSTUFF -p icmp --icmp-type 13	-j DROP

# Speed bumps
iptables -t filter -N SPEEDBUMPS

####################
# Apply the evilnetstuff and standard evil stuff to out interfaces
iptables -t filter -N OUT_INTERFACES
iptables -t filter -A OUT_INTERFACES -i $WAN		-j EVILNETS     # Spoofing protection
iptables -t filter -A OUT_INTERFACES -i $WAN    	-j STDEVILSTUFF # Kill evil crap

####################
# Not all Mac Adresses are allowed to travel through eth2
# This will allow us to limit traffic to specific MAC addresses
# The formatid needs to be xx:xx:xx:xx:xx:xx for this to work.
# Then you have to uncomment the lines

#iptables -t filter -N MAC_FILTER

#iptables -t filter -A MAC_FILTER -i $LAN2 --match mac --mac-source 00:00:00:00:00:00 -j ACCEPT

# OK HiJacker!  HiJack This!
#iptables -t filter -A MAC_FILTER -i $LAN2                       -j DROP


####################
# Forwards
# Here we say which traffic is allowed between interfaces
iptables -t filter -N FORWARDS

# LAN1
iptables -t filter -A FORWARDS -s $LAN_SUB1 -i $LAN1 -o $WAN -j ACCEPT
iptables -t filter -A FORWARDS -d $LAN_SUB1 -i $WAN -o $LAN1 -j ACCEPT
iptables -t filter -A OUTPUT -s $LAN_SUB1 -o $WAN	-j ACCEPT

# LAN2
#iptables -t filter -A FORWARDS -s $LAN_SUB2 -i $LAN2 -o $WAN	-j ACCEPT
#iptables -t filter -A FORWARDS -d $LAN_SUB2 -i $WAN -o $LAN2 -j ACCEPT
#iptables -t filter -A OUTPUT -s $LAN_SUB2 -o $WAN	-j ACCEPT


####################
# Portforward
# Here is a porforward example
# For this to work you have to uncomment the lines

iptables -t nat -N DNATS

iptables -t nat -A DNATS -d sinaran.dyndns.org -p tcp -m tcp --dport 1500 -j DNAT --to 192.168.0.190:1500
	
####################
# Protection for local machine applied.
iptables -t filter -A INPUT -i lo			-j ACCEPT
iptables -t filter -A INPUT	-j OUT_INTERFACES # Kill evil packets
iptables -t filter -A INPUT -p tcp --dport 22		-j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 21		-j ACCEPT
iptables -t filter -A INPUT -p udp --dport 21		-j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 80		-j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 8080		-j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443		-j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 161		-j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 3389		-j ACCEPT
iptables -t filter -A INPUT -p udp --dport 3389		-j ACCEPT
iptables -t filter -A INPUT -p udp --dport 3390		-j ACCEPT
#iptables -t filter -A INPUT -p tcp --dport 1723	-j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 1149		-j ACCEPT
#iptables -t filter -A INPUT -p udp --dport 500		-j ACCEPT
#iptables -t filter -A INPUT -p udp --dport 3390 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 9000	-j ACCEPT # radius-db :)
iptables -t filter -A INPUT -p tcp --syn       -j REJECT  # Reject incoming connections

####################
# DNAT, MASQ and FORWARDS
# Tables put to work
iptables -t filter -A FORWARD				-j SPEEDBUMPS
#iptables -t filter -A FORWARD				-j MAC_FILTER
iptables -t filter -A FORWARD				-j FORWARDS

#iptables -t nat -A PREROUTING		-j DNATS	# portforwards

iptables -t nat -A POSTROUTING -o lo			-j ACCEPT
iptables -t nat -A POSTROUTING -o $WAN -s $LAN_SUB1 -j SNAT --to $WANIP1
#iptables -t nat -A POSTROUTING -o $WAN -s $LAN_SUB2 -j SNAT --to WANIP1
iptables -t nat -A POSTROUTING -o $WAN			-j ACCEPT


####################

I'll explain a little.
In portforwarding you put the port you want to forward and that doesn't have to be the same source and destination port. I put there one example of dnat.
You save this script under /etc/rc.d and name it something like rc.myscript.iptables. Then you have to make changes to you rc.local which should also be under /etc/rc.d. It should look something like this:

Code:

#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local

/etc/rc.d/rc.myscript.iptables

I hope this helps.

Regards,
Odinn Burkni

simke · 09-28-2008, 11:05 PM

G'day OdinnBurkni. Thank you very much for your detailed help on the iptables script. I will try it out & post back the result to you soon.