[LARTC] UDP multicast stream and NAT

[LARTC] UDP multicast stream and NAT

[Gabriel]

Hi, my ISP is streaming some local concert using UDP
multicasting. I followed the instructions on the site which
described how to set VLC in order to view the stream, but
it didn't work. I am behind a Linux router/firewall doing
NAT. Using google, I quickly found out that the
netfilter/conntrack code doesn't support NATing multicast
traffic. I thought about bridging the internet facing
interface (eth0) and (one of) the internal interfaces (the
one my computer is plugged into). This way I could set my
IP to be public and no routing/NAT would be done on the
Linux box. The only problem is that the box has 2 more NICs
in it and there are other people connected to those NICs
that need to use that connection (hence need to be NATed).

Then I tried thinking about a DMZ-like solution where my
box would be in the DMZ, but I can't see that working
either because I only have one public IP assigned.

Can anyone think of any other way for me to be able to view
the stream?

Thanks.

-- 
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/


		
__________________________________________ 
Yahoo! DSL – Something to write home about. 
Just $16.99/mo. or less. 
dsl.yahoo.com 

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] UDP multicast stream and NAT

[Gabriel]

>> Hi, my ISP is streaming some local concert using UDP
>> multicasting. I followed the instructions on the site
which
>> described how to set VLC in order to view the stream,
but
>> it didn't work. I am behind a Linux router/firewall
doing
>> NAT. Using google, I quickly found out that the
>> netfilter/conntrack code doesn't support NATing
multicast
>> traffic. I thought about bridging the internet facing
>> interface (eth0) and (one of) the internal interfaces
(the
>> one my computer is plugged into). This way I could set
my
>> IP to be public and no routing/NAT would be done on the
>> Linux box. The only problem is that the box has 2 more
NICs
>> in it and there are other people connected to those NICs
>> that need to use that connection (hence need to be
NATed).
>>
>> Then I tried thinking about a DMZ-like solution where my
>> box would be in the DMZ, but I can't see that working
>> either because I only have one public IP assigned.
>>
>> Can anyone think of any other way for me to be able to
view
>> the stream?
>>
>> Thanks.
>>
> On Fri, 09 Dec 2005 21:13:45 +0200, sophana
<sophana78@yahoo.fr> wrote:
>
> I have no experience with multicast, but I think you have
to setup a
> multicast router daemon on your router (routed I think)
> Gabriel wrote:
>

I don't think that would be of any help as long as the
netfilter code can't NAT multicast traffic.

-- 
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] UDP multicast stream and NAT

[sophana]

Gabriel wrote:

>I don't think that would be of any help as long as the
>netfilter code can't NAT multicast traffic.
>
>  
>
multicast cannot be NATed by nature.
it is relayed by a multicast router.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] UDP multicast stream and NAT

[Andy Furniss]

Gabriel wrote:
> Hi, my ISP is streaming some local concert using UDP
> multicasting. I followed the instructions on the site which
> described how to set VLC in order to view the stream, but
> it didn't work. I am behind a Linux router/firewall doing
> NAT. Using google, I quickly found out that the
> netfilter/conntrack code doesn't support NATing multicast
> traffic. I thought about bridging the internet facing
> interface (eth0) and (one of) the internal interfaces (the
> one my computer is plugged into). This way I could set my
> IP to be public and no routing/NAT would be done on the
> Linux box. The only problem is that the box has 2 more NICs
> in it and there are other people connected to those NICs
> that need to use that connection (hence need to be NATed).
> 
> Then I tried thinking about a DMZ-like solution where my
> box would be in the DMZ, but I can't see that working
> either because I only have one public IP assigned.
> 
> Can anyone think of any other way for me to be able to view
> the stream?
> 
> Thanks.
> 

I also don't think the bridging will work.

AIUI stateless NAT using ip doesn't work with 2.6 kernels so thinking 
about iptables only.

Maybe you could get something working with the raw table, you can bypass 
conntrack with that but then I am not sure if you could dnat it ...

There is another iptables target ROUTE maybe you could use that. If the 
LAN PC is running Linux then you could setup a vlan/tunnel/something and 
ROUTE it down there.

I would also ask this on the netfilter users list.

Andy.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] UDP multicast stream and NAT

[Andy Furniss]

Andy Furniss wrote:
> Gabriel wrote:
> 
>> Hi, my ISP is streaming some local concert using UDP
>> multicasting. I followed the instructions on the site which
>> described how to set VLC in order to view the stream, but
>> it didn't work. I am behind a Linux router/firewall doing
>> NAT. Using google, I quickly found out that the
>> netfilter/conntrack code doesn't support NATing multicast
>> traffic. I thought about bridging the internet facing
>> interface (eth0) and (one of) the internal interfaces (the
>> one my computer is plugged into). This way I could set my
>> IP to be public and no routing/NAT would be done on the
>> Linux box. The only problem is that the box has 2 more NICs
>> in it and there are other people connected to those NICs
>> that need to use that connection (hence need to be NATed).
>>
>> Then I tried thinking about a DMZ-like solution where my
>> box would be in the DMZ, but I can't see that working
>> either because I only have one public IP assigned.
>>
>> Can anyone think of any other way for me to be able to view
>> the stream?
>>
>> Thanks.
>>
> 
> I also don't think the bridging will work.
> 
> AIUI stateless NAT using ip doesn't work with 2.6 kernels so thinking 
> about iptables only.
> 
> Maybe you could get something working with the raw table, you can bypass 
> conntrack with that but then I am not sure if you could dnat it ...
> 
> There is another iptables target ROUTE maybe you could use that. If the 
> LAN PC is running Linux then you could setup a vlan/tunnel/something and 
> ROUTE it down there.
> 
> I would also ask this on the netfilter users list.

Anothe thought - I would tcpdump on the internet interface and check if 
you can see multicast traffic.

If you can then try making a normal dnat rule something like -

iptables -I PREROUTING -t nat -i ppp0 --src 224.0.0.0/4 -j DNAT --to 
192.168.0.3

I don't think my isp does multicast - so I have never tried to get it to 
work and haven't got a clue really :-)

Andy.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] UDP multicast stream and NAT

[Gabriel]

On Mon, 12 Dec 2005 04:08:54 +0200, Andy Furniss
<andy.furniss@dsl.pipex.com> wrote:

> Andy Furniss wrote:
>> Gabriel wrote:
>>
>>> Hi, my ISP is streaming some local concert using UDP
>>> multicasting. I followed the instructions on the site
which
>>> described how to set VLC in order to view the stream,
but
>>> it didn't work. I am behind a Linux router/firewall
doing
>>> NAT. Using google, I quickly found out that the
>>> netfilter/conntrack code doesn't support NATing
multicast
>>> traffic. I thought about bridging the internet facing
>>> interface (eth0) and (one of) the internal interfaces
(the
>>> one my computer is plugged into). This way I could set
my
>>> IP to be public and no routing/NAT would be done on the
>>> Linux box. The only problem is that the box has 2 more
NICs
>>> in it and there are other people connected to those
NICs
>>> that need to use that connection (hence need to be
NATed).
>>>
>>> Then I tried thinking about a DMZ-like solution where
my
>>> box would be in the DMZ, but I can't see that working
>>> either because I only have one public IP assigned.
>>>
>>> Can anyone think of any other way for me to be able to
view
>>> the stream?
>>>
>>> Thanks.
>>>
>>
>> I also don't think the bridging will work.
>>
>> AIUI stateless NAT using ip doesn't work with 2.6
kernels so thinking
>> about iptables only.
>>
>> Maybe you could get something working with the raw
table, you can bypass
>> conntrack with that but then I am not sure if you could
dnat it ...
>>
>> There is another iptables target ROUTE maybe you could
use that. If the
>> LAN PC is running Linux then you could setup a
vlan/tunnel/something and
>> ROUTE it down there.
>>
>> I would also ask this on the netfilter users list.
>
> Anothe thought - I would tcpdump on the internet
interface and check if
> you can see multicast traffic.
>
> If you can then try making a normal dnat rule something
like -
>
> iptables -I PREROUTING -t nat -i ppp0 --src 224.0.0.0/4
-j DNAT --to
> 192.168.0.3
>
> I don't think my isp does multicast - so I have never
tried to get it to
> work and haven't got a clue really :-)
>
> Andy.

I am familiar with only some of the iptables features
(ROUTE not included :) ), so I'll have to read about that.
I also don't know the details of how multicast works, but,
from what I've seen, there is an initial IGMP packet (a
Membership Report packet according to Ethereal) that,
theoretically, I would  still need to NAT. From there on,
the UDP multicast stream is one way only (but the incoming
stream would need to somehow be forwarded to my computer).

I have to say that I can't see this working without NATting
and if multicast traffic can not be NATed, then...

I also found out the TTL of the initial multicast packet
was 1, so I issued -j TTL --ttl-inc 1 on the router to
increment it. On the LAN facing interface, they would still
appear with the TTL=1 (according to tcpdump), so I guess
the incrementation is done sometime after tcpdump sees the
packet. Still, the packet did not show up on the internet
interface.

Then, I manually added a route to 224.0.0.0/4 through eth0
(internet facing NIC), it still didn't work. I also tried
to compile mrouted, but I got some errors (it's kinda old,
I think it was designed for 2.2 kernels), so I got stuck.

In the end, I managed to see the stream by plugging my
desktop PC directly into the cable modem. :))


-- 
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] UDP multicast stream and NAT

[Andy Furniss]

Gabriel wrote:
> Hi, my ISP is streaming some local concert using UDP
> multicasting. I followed the instructions on the site which
> described how to set VLC in order to view the stream, but
> it didn't work. I am behind a Linux router/firewall doing
> NAT. Using google, I quickly found out that the
> netfilter/conntrack code doesn't support NATing multicast
> traffic. I thought about bridging the internet facing
> interface (eth0) and (one of) the internal interfaces (the
> one my computer is plugged into). This way I could set my
> IP to be public and no routing/NAT would be done on the
> Linux box. The only problem is that the box has 2 more NICs
> in it and there are other people connected to those NICs
> that need to use that connection (hence need to be NATed).
> 
> Then I tried thinking about a DMZ-like solution where my
> box would be in the DMZ, but I can't see that working
> either because I only have one public IP assigned.
> 
> Can anyone think of any other way for me to be able to view
> the stream?
> 
> Thanks.
> 

I recently changed ISP to one that does multicast so got a chance to play.

If you want to do it properly then www.xorp.org is the place to look - I 
didn't as for our situation proper routing is a bit OTT.

There is a project on sf.net called igmpproxy - I didn't really try with 
this as I read it didn't work, but more recently I've read that it is OK 
if you are carefull with the config.

The way I did it it to use smcroute to set up static route(s) and issue 
igmp joins manually from the gateway.

http://www.cschill.de/smcroute

All I needed to do with iptables was to let multicast dst into the gateway.

If the stream link is a .sdp you can read the addresses, if it's some 
propritory crap then tcpdump -nnvv net 224.0.0.0/4 on the lan side while 
the player is trying to connect to get them - one multicast address = 
dst on incoming one unicast addr for the source.

eg. in the UK for the BBC1 1.2mbit H.264 stream -

smcroute -d
smcroute -a ppp0 132.185.224.80 233.122.227.151 eth0

smcroute -j ppp0 233.122.227.157

to stop

smcroute -l ppp0 233.122.227.157

For those in the UK that can test the BBCs - half of them have been down 
whenever I've looked - so try several

Andy.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc