# [SOLVED]iptables ??? : AKA - Let grandparents see gson

## Varsuuk

Without going into total detail (details: https://forums.gentoo.org/viewtopic-t-568795.html), can anyone help a newbie on the 'essence' of setting up port forwarding in the case of:

Cable-Modem (Optonline Boost! ISP) ->

Gentoo Linux Box 

eth0 = internal net (192.168.0.x)

eth1 = optonline isp public ethernet addy (I used ddns btw using a friend's dns servers)

From outside I can:

1. ssh to the gentoo box

2. surf the gentoo box webserver

3. bittorrent does NOT say behind firewall after I opened a few ports via and INPUT/ACCEPT and a -t nat FORWARD/ACCEPT command pair. No clue if that actually is forwarding it... since I can't succeed in my test below for port 50000.

I cannot seem to truly port forward.

My question is what command sets do I need to issue to iptables to forward a port (let's pick 50000) from my external addy to one of my pcs (ip assigned via dnsmasq/MAC address) on the 192.168.0.x net?

To test what I THOUGHT was the command, I ran a term with a 'server' listening on 50000 and another term I tried a client script to connect and send the cat of a file to the server port. I used the ip of the external interface. "Not responding" - if I used the internal ip it works fine.

??? Please, my parents haven't seen the kid since the week after he was born 3 months ago except pics - this is their one and only (we are 43 - so that's the only one they can expect ;P) grandson and I bought this damn $120 webcam webserver for their use. The instructions are all about how to set it up against a linksys-style hardware router (they can even auto do it for you) and with that webcam setup as the DMZ box. But since I have an existing webserver on another box, this wont work (well, one of the reasons)Last edited by Varsuuk on Thu Jul 12, 2007 12:22 am; edited 1 time in total

----------

## Rob1n

All that should be needed (assuming no filtering is otherwise preventing access) is:

```

iptables -t nat -I PREROUTING -i eth1 -p tcp --destination-port 50000 -j DNAT --to-destination 192.168.0.x

```

----------

## defenderBG

and probably if u haven't done it already:

echo 1 >> /proc/sys/net/ipv4/ip_forward

----------

## Varsuuk

THANKS Guys! You are the only people anywhere who have attempted to offer advice. While I don't THINK (the one on the prerouting could be that you are right and my script is wrong?) those were the answers - they were at least things to check and I need that sort of help!

Is there anything else I can supply for info?

OK, I tried to simplify the already simple script more (ie: doesn't have all the stuff I had in my original working iptables script with all the security stuff I gleaned from the gentoo wiki on iptables):

```

#!/bin/bash

# First flush current rules

iptables -F

iptables -t nat -F

# Setup default policies to handle unmatched traffic

iptables -P INPUT   ACCEPT

iptables -P OUTPUT  ACCEPT

iptables -P FORWARD ACCEPT

# Define interfaces

export LAN=eth0

export WAN=eth1

# Lock our services to they only work from the LAN

iptables -I INPUT 1 -i ${LAN} -j ACCEPT

iptables -I INPUT 1 -i lo     -j ACCEPT

# Allow access to out ssh server from the WAN

iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT

iptables -A INPUT -p TCP --dport 60000 -i ${WAN} -j ACCEPT

# Add rules for NAT

#iptables -I FORWARD -i ${LAN} -d 192.168.1.0/255.255.255.0 -j DROP

iptables -A FORWARD -i ${LAN} -s 192.168.1.0/255.255.255.0 -j ACCEPT

iptables -A FORWARD -i ${WAN} -d 192.168.1.0/255.255.255.0 -j ACCEPT

iptables -t nat -A PREROUTING -p TCP --dport 60000 -i ${WAN} -j DNAT --to 192.168.1.102

iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

```

```

merlin iptables # cat  /proc/sys/net/ipv4/ip_forward

1

```

Also verified every one of: /proc/sys/net/ipv4/conf/*/rp_filter has '1' as it's contents.

sysctl.conf:

```

# /etc/sysctl.conf

#

# For more information on how this file works, please see

# the manpages sysctl(8) and sysctl.conf(5).

#

# In order for this file to work properly, you must first

# enable 'Sysctl support' in the kernel.

#

# Look in /proc/sys/ for all the things you can setup.

#

# Disables packet forwarding

#ORIG#net.ipv4.ip_forward = 0

net.ipv4.ip_forward = 1

# Disables IP dynaddr

#net.ipv4.ip_dynaddr = 0

net.ipv4.ip_dynaddr = 1

# Disable ECN

#net.ipv4.tcp_ecn = 0

# Enables source route verification

net.ipv4.conf.default.rp_filter = 1

# Enable reverse path

net.ipv4.conf.all.rp_filter = 1

# Enable SYN cookies (yum!)

# http://cr.yp.to/syncookies.html

#net.ipv4.tcp_syncookies = 1

# Disable source route

#net.ipv4.conf.all.accept_source_route = 0

#net.ipv4.conf.default.accept_source_route = 0

# Disable redirects

#net.ipv4.conf.all.accept_redirects = 0

#net.ipv4.conf.default.accept_redirects = 0

# Disable secure redirects

#net.ipv4.conf.all.secure_redirects = 0

#net.ipv4.conf.default.secure_redirects = 0

# Ignore ICMP broadcasts

#net.ipv4.icmp_echo_ignore_broadcasts = 1

# Disables the magic-sysrq key

#kernel.sysrq = 0

# When the kernel panics, automatically reboot in 3 seconds

#kernel.panic = 3

# Allow for more PIDs (cool factor!); may break some programs

#kernel.pid_max = 999999

# You should compile nfsd into the kernel or add it

# to modules.autoload for this to work properly

# TCP Port for lock manager

#fs.nfs.nlm_tcpport = 0

# UDP Port for lock manager

#fs.nfs.nlm_udpport = 0

```

```

merlin iptables # iptables -L -v -n

Chain INPUT (policy ACCEPT 174 packets, 10889 bytes)

 pkts bytes target     prot opt in     out     source               destination

    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0

   83  5396 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0

    0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22

    0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:60000

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination

 3084 1510K ACCEPT     all  --  eth0   *       192.168.1.0/24       0.0.0.0/0

 4247 4142K ACCEPT     all  --  eth1   *       0.0.0.0/0            192.168.1.0/24

Chain OUTPUT (policy ACCEPT 240 packets, 28161 bytes)

 pkts bytes target     prot opt in     out     source               destination

merlin iptables # iptables -L -v -n -t nat

Chain PREROUTING (policy ACCEPT 195 packets, 12011 bytes)

 pkts bytes target     prot opt in     out     source               destination

    0     0 DNAT       tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:60000 to:192.168.1.102

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination

   14   700 MASQUERADE  all  --  *      eth1    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 1 packets, 76 bytes)

 pkts bytes target     

```

```

merlin iptables # netstat -anp | grep 60000

merlin iptables # netstat -anp | grep -i listen

tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      6035/mysqld

tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      9533/dnsmasq

tcp        0      0 :::80                   :::*                    LISTEN      10382/apache2

tcp        0      0 :::53                   :::*                    LISTEN      9533/dnsmasq

tcp        0      0 :::22                   :::*                    LISTEN      6131/sshd 

unix  2      [ ACC ]     STREAM     LISTENING     6933   4747/syslog-ng      /dev/log

unix  2      [ ACC ]     STREAM     LISTENING     8750   6269/gpm            /dev/gpmctl

unix  2      [ ACC ]     STREAM     LISTENING     15334  10383/apache2       /var/run/cgisock

unix  2      [ ACC ]     STREAM     LISTENING     8425   6035/mysqld         /var/run/mysqld/mysqld.sock

unix  2      [ ACC ]     STREAM     LISTENING     7161   4906/kdm            /var/run/xdmctl/dmctl/socket

```

Then checking the box I am routing to (supposedly) 192.168.1.102:

```

merlin iptables # ssh strider

Password:

Last login: Fri Jul  6 00:46:29 2007 from merlin.DOMAIN.com

strider ~ # netstat -anp | grep 60000

tcp        0      0 0.0.0.0:60000           0.0.0.0:*               LISTEN      6261/s2o  

strider ~ # netstat -anp | grep -i listen

tcp        0      0 0.0.0.0:60000           0.0.0.0:*               LISTEN      6261/s2o  

tcp        0      0 :::22                   :::*                    LISTEN      5637/sshd 

...

strider ~ # ps -ef | grep 60000

username  6261  5998  0 17:37 pts/4    00:00:00 ./s2o 60000   (server-to-out, ie stdout app)

username  6262  5997  0 17:37 pts/3    00:00:00 ./f2c -n1 ool-XXXXX.dyn.optonline.net 60000 /etc/hosts (file-to-client app)

strider ~ # /sbin/ifconfig

eth0      Link encap:Ethernet  HWaddr 00:0D:56:B3:A5:E2

          inet addr:192.168.1.102  Bcast:192.168.1.255  Mask:255.255.255.0

          inet6 addr: fe80::20d:56ff:feb3:a5e2/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:13007 errors:0 dropped:0 overruns:0 frame:0

          TX packets:656 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:11813507 (11.2 Mb)  TX bytes:65675 (64.1 Kb)

          Interrupt:11

lo        Link encap:Local Loopback

          inet addr:127.0.0.1  Mask:255.0.0.0

          inet6 addr: ::1/128 Scope:Host

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

```

----------

## defenderBG

hm... so what is the problem...

btw u have allowed everything:

iptables -P INPUT   ACCEPT 

iptables -P OUTPUT  ACCEPT 

iptables -P FORWARD ACCEPT

meaning that there is no need to make an extra ACCEPT rules... u have to write onlu DROP/LOG/DENY rules...

----------

## genitus

i don't really see why you need portforwarding (your pc is a router?) or why iptables should be the reason (did you try it without iptables?), i also didn't really understand your exact problem  :Wink:  , but maybe your kernel routing table is wrong configured .

```
route -vn
```

----------

## Varsuuk

I just changed it all to ALLOW on this attempt to make it as 'simple' (didn't think that of course I didn't need anything else if that was the case) as possible.

My problem is that I use my gentoo box as my router in the following manner:

I have a Cablemodem (Optonline Boost ISP service) connacted to the ISP

I have my gentoo box with 2 nic cards - one (eth1) goes to the cablemodem.

The other nic (eth0) goes to a linksys router in switch mode (my old router) which goes to 3 of my pcs and another switch which feeds the other pcs and network printers.

I currently have a 'working' Apache server servicing 2 different domains via vhosts.

I currently can ssh into the main router box.

I have each of the pcs either via mac or hostname all assigned an ip in 192.168.x range by the dnsmasq dhcp service running on the gentoo router/server.

I recently added a Creative Labs Live! Wireless Webcam (http://www.creative.com/products/product.asp?category=7&subcategory=41&product=14276) which, I found out is a full webserver with configurable ports etc and a 802 xmitter (my net has a WAP out in living room too) which has usb sockets for the camera/drives.

In the instructions for the webcam it tells you to set that camera's IP (ex 192.168.1.242) to the DMZ host on the router (explanations included on doing this for linksys/netgear etc routers) 

I was only able to view the webcam from the internal net using the webcam IP.

So long story short (no really...) I decided to simplify the test by running a simple server app (both these apps we use at work to simulate servers or clients when testing) which listens on a port and sends received data to stdout and a client that takes a file and sends it verbatim to a ip/port.

I ran this test on my laptop (192.168.1.102) and I typed in one term:

s2o 60000

the other:

f2c -n1 (one time)  68.xxx.xxx.xxx (external isp ip of my gentoo box) 60000 filename.ext

The f2c app reports server not responding. I expected that giving the external ip would force it to go OUTSIDE my net then try to come back in (I didnt have an extern box to try to get in from) I found that if I used the internal ip for this test (or webcam) it works fine, the file data is sent or I can see the webcam pics. But not so if I use the 68.xxxxxx ip addy.

So I ASSume I didn't set up port forwarding correctly?

(btw, I thought I did it right because recently before the webcam - I installed Bittorrent on my windows box (the base c++ version) and it said in the bottom right status line that unsure of ports are you behind a firewall? (rephrased actual text) and once I added the:

-A PREROUTING -i eth1 -p tcp -m tcp --dport 61900:61999 -j DNAT --to-destination 192.168.1.100

line (xxxxx.100 is my windows xp box where I was running bittorrent) the text changed to "Online, ports open" -  so I ASSumed I had portforwarding 'down'  :Wink: 

----------

## Varsuuk

Sorry nearly forgot to answer the one question:

(this is my router/gentoo server)merlin iptables # route -vn

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

68.XXX.XXX.0     0.0.0.0         255.255.248.0   U     0      0        0 eth1

127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo

0.0.0.0         68.XXX.XXX.1     0.0.0.0         UG    0      0        0 eth1

merlin iptables # ssh strider

Password:

Last login: Mon Jul  9 17:50:07 2007 from merlin.XXXXX.com

(this is my laptop I was testing forwarding from merlin ip to this ip xxxxx.102)strider ~ #  route -vn

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo

0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0

----------

## Varsuuk

Eventually this is all about routing a port (or ports) from the Gentoo Linux Router/Firewall to this webcam device so that grandparents on internet can watch my baby (with right password ;P)

I also extended this to a more general question of: what am I doing wrong trying to forward ANY port since I couldn't get the client/server to connect using a made up port 60000 app.

----------

## genitus

good description now  :Wink: 

i agree , you should just need a right portforwarding configuration .

maybe try this as a simple forwarding rule , when FORWARDING policy  is set to ACCEPT :

```

iptables -A PREROUTING -t nat -p tcp -d $EXTERNALIP --dport 60000 -j DNAT --to $DESTINATIONIP:60000 
```

and make sure nothing blocks on the destination machine...

----------

## JC99

Here is my firewall script for internet connection sharing... 

(eth0, which is ppp0 to me cause I use ADSL, is to the internet, eth1 is to my network)

```

iptables -F

iptables -t nat -F

iptables -A POSTROUTING -t nat -o ppp0 -j MASQUERADE

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT

iptables -A INPUT -i lo -p all -j ACCEPT

iptables -A INPUT -i eth1 -p all -j ACCEPT

iptables -A INPUT -p icmp -j DROP

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i lo -p all -j ACCEPT

iptables -A FORWARD -i eth1 -p all -j ACCEPT

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
```

and

```
echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
```

----------

## Hu

 *Varsuuk wrote:*   

> THANKS Guys! You are the only people anywhere who have attempted to offer advice.

 

Have a little more patience.  :Wink:   You gave it less than a day here and perhaps a day since the other one.

Now, down to business.  Your rules look OK at first glance.

 *Varsuuk wrote:*   

> 
> 
> I ran this test on my laptop (192.168.1.102) and I typed in one term:
> 
> s2o 60000
> ...

 

Actually, your port forwarding configuration looks just fine.  Your test failed because you made an incorrect assumption.  :Smile:   Your forwarding rule is:

```
iptables -t nat -A PREROUTING -p TCP --dport 60000 -i ${WAN} -j DNAT --to 192.168.1.102
```

This says that TCP traffic coming in to port 60000 from the ${WAN} interface will be DNAT to 192.168.1.102.  When you run the test internally, the traffic is coming from the ${LAN} interface even if you name the external IP address.  You need to run the test from outside.  Perhaps you can call a friend and have him use net-analyzer/netcat to connect to the specified port.

For the future, you can print out all the rules more concisely by running iptables-save -c, which shows all tables, in numeric form, with exact traffic counters.  I particularly like the traffic counters (which are enabled by the -c option) when tracing which rule is matching a packet.

----------

## Varsuuk

Thanks guys again - I waited to respond because I just got off vacation and had to allocate a block of time to do this, I keep ratholing on it  :Wink: 

Update: Hu was on the money - my TEST was bad. This is why I so explicitly listed my steps and testing methodology in hopes of finding some such glaring boo boo - I was clued into 'wierdness' by the APPARANT workingness (ya, I made that up...) of the Bittorrent forwarding and lo, it WAS working - always trust the computer over the operator (mostly.)

OK - so now I know the forwarding works. Heck, I know it even more cos friends on my 2142 tournament forums suggested ethereal (AKA, wireshark) - running that on both eth1 and eth0 (inside, shows that the outside connection attempt hits xxx.242 as instructed.)

My original test was within the net on laptop and I assume that wouldn't work cos of routing from the inside not being right as before.

But I asked a friend to connect to my ip:8080 and same non-result.

Then, while finally setting up the windows partition again on my gentoo laptop to try from work's external facing wlan, I realized my neighbor has a wlan router and knows nothing about security - sure enough, I unplugged the lan and told it to ignore my 2 wlans and connected to his (getting a different isp and all...) 

Tried connecting and got on eth1 the source going to my linux router, it returning syn/ack to the source's reopeated syns.

Looking at the internal eth0, I see that the outside isp is being directed to the 242 box properly. This shows:

laptop -> webcam    1043 > http-alt [syn]

webcam -> laptop   http-alt > 1043 [syn, ack] seq=0, ack=1, win=5840, len=0, mss=1460

webcam -> laptop   http-alt > 1043 [syn, ack] seq=0, ack=1, win=5840, len=0, mss=1460

and repeat the 3 lines...

If I run wireshark on my local net eth0, xp box and try to access the webcam, I see the same first 2 lines (with diff local ip source):

internal 192 addy -> webcam    2332 > http-alt [syn]

webcam -> 19 addy   http-alt > 2332 [syn, ack] seq=0, ack=1, win=5840, len=0, mss=1460

BUT THEN:

internal 192 addy -> webcam    2332 > http-alt [ack] seq=1 ack=1 win=65535 len=0

AND next:

local addy -> webcam  HTTP GET/ HTTP/1.1

etc...

And it works.

So, is there something happening that I am suppressing the ACK from my local lan to wan? I am totally unfamiliar with these tools and flying by seat of my pants  :Smile: 

Lastly, is there an EASY way to select and past the No/Time/Source/Dest/Proto/Info part of the wireshark gui to allow for more accurate replies if asked about this?

----------

## genitus

well , 

in the first example the tcp connection never gets initialized because the last [ACK] from your laptop is missing ,

it looks like the webcam just can not reach the laptop at all over the net .

and yes , you can suppress the incoming [ACK] from the laptop if you match the set tcp-flags in a iptables rule - although you shouldn't  :Smile:  .

----------

## Varsuuk

Heh  :Wink:   yeah - I didn't mean I WANTED to, I meant it as a possible explanation for what I see.

It seems that one the working one (internal box going to internal webcam) the thing that differs is after the webcam responds with syn,ack the requesting box responds with ack.

When I go from an outside connection (ie: another isp) to the internal webcam, I give the syn, get the syn,ack but then the next thing I see is the webcam again sending the syn,ack

I am ASSUMING this means the webcam resent it due to not receiving the ack from me? If so, why did the webcam not receive it or why did my box not send it? (I assume it's the former but...)

I was guessing it was a iptable rule at fault but no idea. I have to run to a meeting now - was gonna look at post history - Im sure here or on the other thread I list the iptable info.

----------

## genitus

i rather think you can not reach anything outside your LAN with your webcam machine  - did you ever try ?

your [syn,ack] is probably just sent , but never reached its target  (laptop) - so you can't expect a response.

looks like something is wrong configured on the webcam's machine . maybe the routing table this time  ...

----------

## Varsuuk

OK - so far I know:

Webcam on LAN receives SYN from the client (diff ISP)

Webcam sends out a SYN,ACK

DL and ran shark on laptop at work on wireless non firewalled public net...

Wireshark shows laptop (client) sending SYNs - nothing is received from the webcam.

So... I would guess this means that the SYN,ACK is being dropped by my rules as it tries to traverse eth0(LAN)->eth1(WAN)?

I can only use tcpdump to look at 'stuff' from here via ssh while at work, not Wireshark, so I have no clue how to see a shark-like view where it very nicely tells me it is sending or receiving syn/ack/fin/etc flags. I am sure the data appears in the tcpdump but I don't know how to read it (I tried dumping both eth0 and eth1 while viewing client's wireshark gui.

I will google now tcpdump to see how it works and if there is a flag I need to translate or some chart where I can interpret flags manually etc.

----------

## genitus

i can't help you with your other problems (i usally use wireshark) , but with tcpdump it just should be a parameter problem to get your wanted view 

,i guess.

anyway i ask again : can you surf the internet (just reach any extern IP) with your webcam machine and on your WLAN laptop ? 

which iptables rules (iptables -v -L) do you have on your webcam and on your gentoo system ? (according to your posts the laptop is unfirewalled)

----------

## Varsuuk

 *genitus wrote:*   

> i can't help you with your other problems (i usally use wireshark) , but with tcpdump it just should be a parameter problem to get your wanted view 
> 
> ,i guess.
> 
> anyway i ask again : can you surf the internet (just reach any extern IP) with your webcam machine and on your WLAN laptop ? 
> ...

 

My webcam is not a webcam machine in the sense of it being a webcam connected to a pc. It is a selfcontained unit which has a webserver interface (it defaults to port 80 but you can assign it another port - I had to since I am already using 80 and can't forward to 80 because of that. It plugs into AC and transmits to my WAP via 802.11 interface. I didn't want to have to wire and place a PC in son's nursery.

On my gentoo - I listed the iptables -v -L and -nat -v -L above (the test environ)

I am leaving for home now - in about 2 hours Ill try resetting webcam to a wierd port like 60000 vs using a well known 8080 in case there is something wrong with that (I pay for enhanced service which opens up 80/25/8080 but hey just cos 80 works correctly now doesn't mean they couldnt have messed something up with 8080 at the ISP?)

Gracias,

Vars

----------

## Varsuuk

EVIL EVIL Optonline!!!!

OK - changing the port to a random upper port worked...

OK, am I nuts, I reread the info - sure it doesn't say 8080 is also unblocked when you buy the extra Boost! service but what is the point of unblocking port80 but not 8080??

ARRGH so much time wasted  :Smile:   Thanks to you guys I learned a bit about troubleshooting connections - I still gotta read up to learn how to use tcpdump in case need that w/o gui access again in future.

 *Quote:*   

> 
> 
> Important information - 
> 
> Use the Advanced Configuration feature only if you fully understand how it works. Changing your settings without proper knowledge may allow anyone to access your computer. 
> ...

 

Bah....

----------

## genitus

i should have checked the link you gave us earlier  :Wink: 

i am not to familiar with those kind of webcams , seems like it is rather complex  , 

so my next choice would have been to check your webcam configuration...

i also wanted to give you the advice to change the uncommon port 60000 already , because of possible 

ISP blocking (you can never know) , but then it seemed to be not blocked at all...

anyway congrats

----------

## Hu

You can save the tcpdump results to a file for later viewing with Wireshark using the -w option to tcpdump.  Similarly, tcpdump can read back capture files to present the information in text form for you to share with other users.

You did not need to change the webcam port.  The Linux NAT infrastructure can rewrite destination port as well as destination IP address.

That blocking seems like a misguided security feature, rather than a specific attempt to limit you.  Port 8080 is a very common second choice for HTTP servers, so I can see why someone who thinks that blocking ports in a modem is a good thing would put port 8080 on the block list.

Assuming you really have ssh at work, rather than PuTTY or some other Windows-based ssh client, you can use Wireshark remotely by engaging X11 forwarding.  Wireshark will then connect to a proxy X11 server that relays over the ssh connection and renders on your workstation.  You need an X11 server on your workstation and for $DISPLAY to be set correctly for the ssh client.

----------

## Varsuuk

I totally have ssh at work, since all our pcs are RHEL3/4 pcs for our local dev boxes. However, the firewall rules are such that I cannot ssh out of our 'allowed' nets, the dev boxs, local boxes and of course the production tickerplants.

I tested at work by using my laptop in windows mode only because I did not know if this cam would feed in linux (the docs implied some sort of activex or something - I think that was for the camera control part since I was able to ask a friend to try it and he didn't load the disk)

Just checked: Yup, works fine even using Konqueror  :Wink: 

Great about the -w option because I could not make sense of the tcpdump output compated to shark. I will be now trying to learn this stuff going forward  :Smile: 

The reason I think it is Optonline.net doing the blocking is that prior to buying the upgrate to Boost! service (30mbs down and 5 up) - but I bought it just to make web access easier since I could then use port 80 for it since they unlocked that and 25 - and I PRESUMED 8080 since the only reason to block that is lost if they unblocked 80...imo

So if I understant, redirecting the destination port INTO my net from a diff (ex 60000) wouldn't make any real difference since ppl would still need to type somethuing other than 8080 - so may as well make em match (right?) since the port on the webcam is totally configuarable.

IF anyone wants any info on this or feedback on the camera etc - please feel free to ask, I'd love to help out anyone needing such a wireless (meaning no PC needed - cos it's AC powered and a 'regular' webcam (supplied) plugs into it's usb port with another available for a usb drive etc...

I still have an old copy of exceed - which Id love to use on my home pc and do at times (nicer monitor than the linux boxes- WS) but it is sooooo flaky on whether it works THIS week in detecting/starting the X sessions... but it's old, who knows what changed in X since the early-mid 90s.

----------

## Hu

 *Varsuuk wrote:*   

> 
> 
> So if I understant, redirecting the destination port INTO my net from a diff (ex 60000) wouldn't make any real difference since ppl would still need to type somethuing other than 8080 - so may as well make em match (right?) since the port on the webcam is totally configuarable.
> 
> 

 

Correct.  This is primarily useful when you encounter multiple services that insist on using the same port, as can often happen with closed source Windows games.  I mention it here for completeness.

----------

## Varsuuk

Oh... and now that I got the port redirection working !!!

I tried out my second idea, which I thought might be better - but I didn't want to do before I 'fixed' the forwarding issue in case it made me lazy if it worked  :Wink: 

I used apache to REVERSEProxy requests to BabyCam to my internal IP/Port of the webcam so it's easy and no port for ppl to rememeber:

www.mydomain.com/BabyCam   and BLAM... there we go. Now also closed up the 60000 port and removed forwarding lines in the iptables.

(lookup ProxyPassReverse, et al in Apache - also mod_proxy, remember to add -D PROXY to the apache2.conf in conf.d.

----------

