rules for Real's Helix Universal Media Server?

rules for Real's Helix Universal Media Server?

[Jean-Christian Imbeault]

I am running Real's Helix Media Server on a linux box and would like to 
secure the box as much as possible but I can't figure what ports this 
media server needs. It seems to pretty much need everything about 1024 ...

Has anyone been able to come up with some rules for a Helix Media Server?

Thanks,

Jc

Re: rules for Real's Helix Universal Media Server?

[Joel Newkirk]

On Sunday 02 March 2003 11:54 pm, Jean-Christian Imbeault wrote:
> I am running Real's Helix Media Server on a linux box and would like
> to secure the box as much as possible but I can't figure what ports
> this media server needs. It seems to pretty much need everything about
> 1024 ...

http://service.real.com/help/library/guides/helixuniversalproxy/htmfiles/firewall.htm#198350

> Has anyone been able to come up with some rules for a Helix Media
> Server?

Presuming the rules are being run on the box itself, it looks like these 
INPUT rules for a Universal Server:

# For Helix universal server dealing with media players
iptables -A INPUT -p tcp --multiport --dport 554,7070,8080 -j ACCEPT
iptables -A INPUT -p udp --dport 6970:6999 -j ACCEPT

# For Helix universal server communicating with universal proxy
iptables -A INPUT -p tcp --multiport --dport 3030,7802,7878 -j ACCEPT
iptables -A INPUT -p udp --dport 3030 -j ACCEPT

and these for a Universal Proxy server:

# for Helix universal proxy communicating with media players or child 
proxies
iptables -A INPUT -p tcp --multiport --dport 554,1090,1755 -j ACCEPT

# for Helix universal proxy communicating with media servers
iptables -A INPUT -p tcp --dport 3030 -j ACCEPT
iptables -A INPUT -p udp --dport 3030 -j ACCEPT
# 6970-32000 for both media servers and parent proxies
iptables -A INPUT -p udp --dport 6970:32000 -j ACCEPT


Apparently that huge range of UDPs can be restricted with the "UDP Resend 
Port Range" Proxy setting.  The OUTPUT rules, if you need them as well, 
should apparently be:

# for universal server communicating with media players
iptables -A OUTPUT -p udp --dport 6970:6999 -j ACCEPT

# for universal server communicating with universal proxy
iptables -A OUTPUT -p udp --dport 6970:32000 -j ACCEPT

# for universal proxy communicating with players or child proxies
iptables -A OUTPUT -p udp --dport 1024:5000 -j ACCEPT
iptables -A OUTPUT -p udp --dport 6970:65535 -j ACCEPT

# for universal proxy communicating with media server and parent proxy
iptables -A OUTPUT -p tcp --multiport --dport 554,1755,3030,7070,7878 -j 
ACCEPT
iptables -A OUTPUT -p udp --dport 3030 -j ACCEPT

Also, a universal proxy needs to send on TCP 9090 and listen on a 
configured port for administration.

These are certainly not the tightest rules possible for this beast, quite 
likely around 50% of these rules wouldn't see any traffic if you have 
ESTABLISHED,RELATED allowed through. (like OUTPUT going to a media 
player)  My suggestion would be to place EST/REL rules first, then these 
rules, separated instead of using multiport match.  After a reasonable 
period of time, check the packet counts with "iptables -L -v -n" and see 
which rules never hit, then try commenting them out of the script for a 
while to ensure that you can do without them.  If you know more about 
how these communications are initiated than I do, you could probably 
look at these rules and pick out which ones would only be replies.

j

Re: rules for Real's Helix Universal Media Server?

[Jean-Christian Imbeault]

Joel Newkirk wrote:
> 
> http://service.real.com/help/library/guides/helixuniversalproxy/htmfiles/firewall.htm#198350

Sorry for my late reply to this message but I was busy setting up other 
machines.

The link you give is for a Universal Proxy server. I am using a Helix 
Universal Media Server. It's a streaming media server, not a proxy server.

> Presuming the rules are being run on the box itself

Yes, they would be.

I found a section the Helix Media server manual about firewalls and 
ports but it's taking me a while to figure out what they are saying.

I'll try my hand at setting the rules up myself but if anyone has done 
this before please let me know the rules you came up with :)

Jc

Re: rules for Real's Helix Universal Media Server?

[Jean-Christian Imbeault]

For those who are facing the same problem as me I've finally come up 
with these rules. Don't know if they are the tightest or if they could 
be improved but they seem to work.

Any suggestions welcomed.

#!/bin/sh

IPT="/usr/local/sbin/iptables"
IP=""
LAN=""
MBX=""
INTERNALBCAST=""

# Delete any old rules
for i in filter
do
   $IPT -t $i -F
   $IPT -t $i -X
done

$IPT --policy INPUT   DROP
$IPT --policy OUTPUT  ACCEPT
$IPT --policy FORWARD DROP

# Loopback accepts everything
$IPT -A INPUT  -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# Allow previously established connections
$IPT -A INPUT -d $IP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# SMTP needed so I can email the results of the backup jobs
$IPT -A INPUT -p tcp -s $MBX -i eth0 -d $IP --sport 25 -m state --state 
NEW,ESTABLISHED,RELATED -j ACCEPT

# Allow SSH from LAN
$IPT -A INPUT -p TCP -s $LAN -i eth0 -d $IP --dport 22 -m state --state 
NEW,ESTABLISHED,RELATED -j ACCEPT

# Folding@Home
$IPT -A INPUT -p TCP -i eth0 -d $IP --sport 8080 -m state --state 
NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p TCP -i eth0 -d $IP --sport 80   -m state --state 
NEW,ESTABLISHED,RELATED -j ACCEPT

#################################################
#
# Ports needed by the server
#
# Listen on :
#
# 554         control channel for RTSP (tcp)
# 80          HTTP (tcp)
# 1755        control channel for MMS  (tcp/udp)
# 7070        control channel for PNA  (tcp)
# 9090        Server Monitor Traffice (tcp)
# 14185       Helix Admin port (tcp)
# 34445-34459 RDT/RTP client replies for UDP resends (udp)
#
# Send on:
#
# 1024-5000  MMS media packet delivery (udp)
# 1-65000    MMS Multicast (mutlicast) NOT NEEDED
# 6970-32000 data channel (UDP)
#
#################################################

$IPT -A INPUT  -p tcp -i eth0 -d $IP --dport 80          -j ACCEPT
$IPT -A INPUT  -p tcp -i eth0 -d $IP --dport 554         -j ACCEPT
$IPT -A INPUT  -p tcp -i eth0 -d $IP --dport 1755        -j ACCEPT
$IPT -A INPUT  -p udp -i eth0 -d $IP --dport 1755        -j ACCEPT
$IPT -A INPUT  -p tcp -i eth0 -d $IP --dport 7070        -j ACCEPT
$IPT -A INPUT  -p tcp -i eth0 -d $IP --dport 9090        -j ACCEPT
$IPT -A INPUT  -p tcp -i eth0 -d $IP --dport 14185       -j ACCEPT
$IPT -A INPUT  -p udp -i eth0 -d $IP --dport 34445:34459 -j ACCEPT

# These rules are really needed since the OUTPUT policy is set to ACCEPT
$IPT -A OUTPUT -p udp  --sport 1024:5000   -j ACCEPT
$IPT -A OUTPUT -p udp  --sport 6970:32000  -j ACCEPT

##################################################
#
# ping flood protection
# Deny icmp to broadcast address
# allow :
#         0 : Echo reply
#         3 : Destination Unreachable
#         11: TTL exceeded
#
# deny  :
#         4 : Source Quench
#         12: Parameter Problem
#
##################################################

$IPT -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j 
REJECT
$IPT -A INPUT -i eth0 -p icmp -m icmp --icmp-type 0  -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp -m icmp --icmp-type 3  -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp -m icmp --icmp-type 4  -j REJECT
$IPT -A INPUT -i eth0 -p icmp -m icmp --icmp-type 12 -j REJECT
$IPT -A INPUT -p icmp -d $INTERNALBCAST -j DROP

##################################################
#
# Drop crap so that it does not clog up the log file
#
# Drop ports :
#              67  : BOOTP/DHCP             (UDP)
#              113 : identd, need to send RST
#              137 : NetBIOS                (UDP)
#              139 : Samba and print shares (TCP/UDP)
#
# Drop bcasts:
#              192.168.255.255 (TCP/UDP)
#              255.255.255.255 (TCP/UDP)
#
##################################################

$IPT -A INPUT -p udp --dport 67  -j DROP
$IPT -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset
$IPT -A INPUT -p udp --dport 137 -j REJECT
$IPT -A INPUT -p udp --dport 139 -j REJECT
$IPT -A INPUT -p tcp --dport 139 -j REJECT
$IPT -A INPUT -p tcp -i eth0 -d $INTERNALBCAST  -j DROP
$IPT -A INPUT -p udp -i eth0 -d $INTERNALBCAST  -j DROP
$IPT -A INPUT -p tcp -i eth0 -d 255.255.255.255 -j DROP
$IPT -A INPUT -p udp -i eth0 -d 255.255.255.255 -j DROP

#log anything that made it this far w/o being caught
$IPT -A INPUT -j LOG --log-level debug --log-prefix "DROP:"

Re: rules for Real's Helix Universal Media Server?

[Joel Newkirk]

On Wednesday 05 March 2003 03:30 am, Jean-Christian Imbeault wrote:
> Joel Newkirk wrote:
> > http://service.real.com/help/library/guides/helixuniversalproxy/htmf
> >iles/firewall.htm#198350
>
> Sorry for my late reply to this message but I was busy setting up
> other machines.
>
> The link you give is for a Universal Proxy server. I am using a Helix
> Universal Media Server. It's a streaming media server, not a proxy
> server.

Um, did you follow the link?  The Universal Proxy Server is the first 
part, but that whole section encompasses ports used by Universal Proxy, 
Media clients, and Universal Servers.  I actually noticed the subject of 
the request you posted, and when I decided to spend a few hours 
researching it and replying I actually dug around to find out what Helix 
is and how it works...

If it'll make you more comfortable, here's a link that doesn't have the 
word 'proxy' embedded in it:

http://service.real.com/help/library/guides/helixuniversalserver/htmfiles/firewall.htm

j