# Creative Labs: Live! Wireless (Webcam) and iptables (dnsmaq)

## Varsuuk

I purchased a Creative Live! Wireless webcam with the intention of using its webserver interface to let the grandparents in Florida see our child.

The setup was easy and I got it working locally (by typing it's local ip).

However, I naively tried to do:

-A PREROUTING -i eth1 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.1.242

as well as:

-A INPUT -i eth1 -p tcp -m tcp --dport 8080 -j ACCEPT

inside the iptables conf file. eth0 is my internal net (192.168.1.x and eth1 is my ISP net.)

I have a friend doing DDS for me already, he directs my domains to my apache server. This works fine.

I wanted something 'wireless' because 1) the baby moves around 2) his bedroom is not easily wired for net nor is there ROOM for a pc in there  :Wink: 

Note, the instructions say I should setup my router to make the IP of the webcam server the DMZ zone ip. This makes me wonder if it is an issue with other non-specified ports?

Ideas anyone? Hopefully someone has it working already.

---Dan

PS: using dnsmasq for dhcp and masquerading

----------

## Varsuuk

OK... upon further (TEDIOUS and fruitless) study...

I assumed port forwarding was working since I originally started Bittorrent and it said something about being behind firewall and I added 

-A PREROUTING -i eth1 -p tcp -m tcp --dport 61900:61999 -j DNAT --to-destination 192.168.1.100

-A PREROUTING -i eth1 -p udp -m udp --dport 61900:61999 -j DNAT --to-destination 192.168.1.100

(wasn't sure if udp also needed?)

to the rules-save and this made the message at the bottom right corner go poof and no longer said behind a firewall.

HOWEVER...

I went to my laptop, also running gentoo (wlan) and checked the ip X.X.X.102. I added a rule for 9090 (and 60000 later on) to forward the port:

-A PREROUTING -i eth1 -p tcp -m tcp --dport 60000 -j DNAT --to-destination 192.168.1.102

and in the filter table section (for good measure since it didn't work the other way and is required for my web server to accept 80...)

-A INPUT -i eth1 -p tcp -m tcp --dport 60000 -j ACCEPT

Then I ran a prog I use at work (s2o... server 2 output - puts anything it reads on stdout) on port 60000 and I fed it from another term with f2c (file 2 client) using the ISP inet addy of my linux router/firewall and port 60000. No luck, no response from server.

So I think I do not in fact have forwarding working...

The current (I've tried alot of mods lol) rules-save:

# Generated by iptables-save v1.3.5 on Thu Jul 13 02:35:24 2006

*nat

:PREROUTING ACCEPT

:POSTROUTING ACCEPT

:OUTPUT ACCEPT

-A PREROUTING -i eth1 -p tcp -m tcp --dport 61900:61999 -j DNAT --to-destination 192.168.1.100

-A PREROUTING -i eth1 -p udp -m udp --dport 61900:61999 -j DNAT --to-destination 192.168.1.100

-A PREROUTING -i eth1 -p tcp -m tcp --dport 60000 -j DNAT --to-destination 192.168.1.102

-A POSTROUTING -o eth1 -j MASQUERADE

COMMIT

# Completed on Thu Jul 13 02:35:24 2006

# Generated by iptables-save v1.3.5 on Thu Jul 13 02:35:24 2006

*filter

:INPUT ACCEPT

:FORWARD DROP

:OUTPUT ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -i eth0 -j ACCEPT

-A INPUT -i ! eth0 -p udp -m udp --dport 67 -j REJECT --reject-with icmp-port-unreachable

-A INPUT -i ! eth0 -p udp -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable

-A INPUT -i eth1 -p tcp -m tcp --dport 21 -j ACCEPT

-A INPUT -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT

-A INPUT -i eth1 -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state NEW -j ACCEPT

-A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT

-A INPUT -i eth1 -p tcp -m tcp --dport 60000 -j ACCEPT

-A INPUT -i ! eth0 -p tcp -m tcp --dport 0:1023 -j DROP

-A INPUT -i ! eth0 -p udp -m udp --dport 0:1023 -j DROP

-A FORWARD -d 192.168.1.0/255.255.255.0 -i eth0 -j DROP

-A FORWARD -s 192.168.1.0/255.255.255.0 -i eth0 -j ACCEPT

-A FORWARD -d 192.168.1.0/255.255.255.0 -i eth1 -j ACCEPT

COMMIT

# Completed on Thu Jul 13 02:35:24 2006

HELP?

hehe I used: http://www.gentoo.org/doc/en/home-router-howto.xml as the basis for originally setting up my linux router/dnsmasq etc and all works well (meaning can ssh and http to the main box)

Results of tcpdump, stopped after one 'cycle':

merlin iptables # tcpdump -q port 60000

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

00:08:17.371341 IP strider.XXXX.com.48814 > XXXX.dyn.optonline.net.60000: tcp 0

00:08:17.371381 IP XXXX.dyn.optonline.net.60000 > strider.XXXX.com.48814: tcp 0

2 packets captured

2 packets received by filter

0 packets dropped by kernel

------------------

I was told there should be another line something like:

00:08:17.371381 IP XXXX.dyn.optonline.net.60000 > 192.168.1.102: tcp 0

(with -vv setting on, it had:  (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: TCP (6), length: 40)  as extra info on the attempts)

if it is forwarded...?

----------

