Let's say I have an IP camera that can connect both via wireless and via ethernet. However, this camera is from China, and I'm not trusting blindly any software from China to leave it open to the internet inside my house. So, as a solution, I wanted to setup a raspberry pi to respond to ethernet frames with it, since I know the entire ONVIF protocol (the protocol the camera uses to interact with the client) and can block any unwanted connections from her. For now, I blocked her from acessing the internet by blacklisting its IP in the router, but it's not enough for me. I don't leave her open to the world. The way I'm doing rigth know is the following:

I open an SSH fowarding port from JuiceSSH on android, and connect through tinyCam monitor (an ip camera monitor app) to this SSH port, which redirects my traffic locally from raspberry pi to the camera.

However, I wanted to connect lots of cameras to my raspberry pi, without having to do all this stuff. Basically, raspberry pi would be the ethernet or wireless 'host' for these cameras. I would filter all packets and only allow those who contain SOAP messages and the RTSP protocol (real time streaming protocol), which are directed to my IP address. The cameras will have no connection to the internet at all, but would be tricked in thinking there is somebody connected to them locally. Also, they wouldn't even be able to talk with other computers in the network. Basically, I want to create a way to access these cameras without having to trust their software. I can't trust software from China who doesn't even support TLS and connects to a website with no support HTTPs, so I can access the camera from there.

There are 2 options I want to explore and learn:

1) making my raspberry pi act as a wireless host, but block efficiently all the packets I want to, except those who'll be fowared to me, which are the ones that contain: SOAP messages and RTSP messages.

2) making my raspberry pi act as a ethernet host and foward the SOAP as RTSP messages to my client, via internet.

these 2 ways are gonna make me trust an updated linux SSH client, rather than a strange client from China which I barely have idea how insecure it is, and I'll only need to leave one port open to the world, which is the SSH one, and I'll only connect to it with TLS certificates in the client side, so my setup will be pretty secure.

The ethernet idea is better, in my opinion, because I don't need to trust that the wireless connectivity of the camera can't be exploited.

Could somebody tell me what do I have to do to start developing these filters for ethernet or wireless? I know it's a long way, it's nothing that I will learn in one day, but I'm looking for ideas from you guys in how to learn all this.

Thanks!