Mathieu
Regular Contributor
Hi everyone
I am the proud owner of 2 cheap ipcams, made in China and notorious for causing all sort of security issues.
I also intend to save in the cloud whatever those would capture, using a paid-for cloud service.
I understand there is a need to open ports on my firewall, and the cloud service has provided me a list of servers (and ports) through which it can communicate with the cams. What I am trying to achieve is that only traffic to and from the servers in the list can be allowed. As a bonus I would also want the cameras to be prevented from communicating with any IP address that wouldn't be in the list.
I am thinking of having the following 'script' added to the firewall-start custom file, and am eager to hear critics / suggestions from those in the know (that would be you). Thank you...
#!/bin/bash
# Populate an array of known servers
ServerList=(aaa.aaa.aaa.aaa
bbb.bbb.bbb.bbb
...
zzz.zzz.zzz.zzz)
# I want to only allow the above servers (cloud storage) to access the lan through either [PortA] or [PortB]
# and direct the traffic to clients [Internal_IP_A] and [Internal_IP_B] (IP Cams), respectively
for ip in "${ServerList[@]}
do
# Allow incoming traffic
iptables -I INPUT -s $ip -p tcp --dport [PortA] -j ACCEPT
iptables -I INPUT -s $ip -p tcp --dport [PortB] -j ACCEPT
# Redirect to internal client and send traffic back
iptables -t nat -A PREROUTING -p tcp --dport [PortA] -j DNAT --to-destination [Internal_IP_A]
iptables -t nat -A POSTROUTING -p tcp -d [Internal_IP_A] -j SNAT --to-source $ip
iptables -t nat -A PREROUTING -p tcp --dport [PortB] -j DNAT --to-destination [Internal_IP_B]
iptables -t nat -A POSTROUTING -p tcp -d [Internal_IP_B] -j SNAT --to-source $ip
done
I am the proud owner of 2 cheap ipcams, made in China and notorious for causing all sort of security issues.
I also intend to save in the cloud whatever those would capture, using a paid-for cloud service.
I understand there is a need to open ports on my firewall, and the cloud service has provided me a list of servers (and ports) through which it can communicate with the cams. What I am trying to achieve is that only traffic to and from the servers in the list can be allowed. As a bonus I would also want the cameras to be prevented from communicating with any IP address that wouldn't be in the list.
I am thinking of having the following 'script' added to the firewall-start custom file, and am eager to hear critics / suggestions from those in the know (that would be you). Thank you...
#!/bin/bash
# Populate an array of known servers
ServerList=(aaa.aaa.aaa.aaa
bbb.bbb.bbb.bbb
...
zzz.zzz.zzz.zzz)
# I want to only allow the above servers (cloud storage) to access the lan through either [PortA] or [PortB]
# and direct the traffic to clients [Internal_IP_A] and [Internal_IP_B] (IP Cams), respectively
for ip in "${ServerList[@]}
do
# Allow incoming traffic
iptables -I INPUT -s $ip -p tcp --dport [PortA] -j ACCEPT
iptables -I INPUT -s $ip -p tcp --dport [PortB] -j ACCEPT
# Redirect to internal client and send traffic back
iptables -t nat -A PREROUTING -p tcp --dport [PortA] -j DNAT --to-destination [Internal_IP_A]
iptables -t nat -A POSTROUTING -p tcp -d [Internal_IP_A] -j SNAT --to-source $ip
iptables -t nat -A PREROUTING -p tcp --dport [PortB] -j DNAT --to-destination [Internal_IP_B]
iptables -t nat -A POSTROUTING -p tcp -d [Internal_IP_B] -j SNAT --to-source $ip
done
