rtsp-conntrack help needed...

Linux Netfilter discussions
 help / color / mirror / Atom feed

* rtsp-conntrack help needed...
@ 2004-01-17 10:21 meillnco
  2004-01-17 12:08 ` Antony Stone
  0 siblings, 1 reply; 4+ messages in thread
From: meillnco @ 2004-01-17 10:21 UTC (permalink / raw)
  To: netfilter

Hello all,

This is my first post on this list but I've known netfilter for a while now... I'm just about to start using it though.

Here is my question / problem : I have a generic configuration LAN <=> FIREWALL <=> INTERNET. My goal is to be able to play a video streamed by a public server. However, for the moment, my local clients can't stream as all RTP packets are stopped by the firewall. Here comes (maybe ?) rtsp-conntrack...

I was wondering if anyone had already (and successfully) installed this patch ? I've been facing this problem for soooo long, any help would be much appreciated. Especially regarding installation / compliation tips and examples of the rules to add in my firewall configuration file.

Thanks again for any help !
Nico

PS : sorry if this message is inaccurate, I'm not so deep into Linux... 

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: rtsp-conntrack help needed...
  2004-01-17 10:21 rtsp-conntrack help needed meillnco
@ 2004-01-17 12:08 ` Antony Stone
  2004-01-17 15:09   ` Nicolas
  0 siblings, 1 reply; 4+ messages in thread
From: Antony Stone @ 2004-01-17 12:08 UTC (permalink / raw)
  To: netfilter

On Saturday 17 January 2004 10:21 am, meillnco wrote:

> Hello all,
>
> This is my first post on this list but I've known netfilter for a while
> now... I'm just about to start using it though.
>
> Here is my question / problem : I have a generic configuration LAN <=>
> FIREWALL <=> INTERNET. My goal is to be able to play a video streamed by a
> public server. However, for the moment, my local clients can't stream as
> all RTP packets are stopped by the firewall.

Why are they being stopped?   What is your ruleset?

> Here comes (maybe ?) rtsp-conntrack...

Maybe, but let's not assume that's the solution until we've clearly identified 
the problem.

> I was wondering if anyone had already (and successfully) installed this
> patch ? I've been facing this problem for soooo long, any help would be
> much appreciated.

Have you attempted installing this patch and had a problem?   Or are you just 
asking "how do I install a patch"?

> Especially regarding installation / compliation tips and
> examples of the rules to add in my firewall configuration file.

Tell us what rules you have now and we may be able to suggest what to change.   
We can't tell you what rules you should be using because we don;t know the 
rest of your protocol requirements or your network configuration.

> PS : sorry if this message is inaccurate, I'm not so deep into Linux...

No problem - it's not Linux we need details of - it's your network and your 
firewall rules.

Regards,

Antony.

-- 
The words "e pluribus unum" on the Great Seal of the United States are from a 
poem by Virgil entitled "Moretum", which is about cheese and garlic salad 
dressing.

                                                     Please reply to the list;
                                                           please don't CC me.



^ permalink raw reply	[flat|nested] 4+ messages in thread

* RE: rtsp-conntrack help needed...
  2004-01-17 12:08 ` Antony Stone
@ 2004-01-17 15:09   ` Nicolas
  2004-01-17 21:46     ` Tom Marshall
  0 siblings, 1 reply; 4+ messages in thread
From: Nicolas @ 2004-01-17 15:09 UTC (permalink / raw)
  To: netfilter

Antony,

Here is my ruleset. Hope this helps... As I told you, the rules I use are
really basics.

There you go :

#!/bin/sh
#
# FORWARDING activation

echo 1 > /proc/sys/net/ipv4/ip_forward


# No spoofing (pings are blocked)

if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
then
	for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
	do
		echo 1 > $filtre
	done
fi


# no icmp
#echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
#echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts


# loading the ip_tables module

modprobe ip_tables


# NAT modules

modprobe ip_nat_ftp
modprobe ip_nat_irc
modprobe iptable_filter
modprobe iptable_nat


# Aliases

ifconfig eth1:1 IP_PUB..XXX.XX6 netmask 255.255.255.248
ifconfig eth1:2 IP_PUB..XXX.XX7 netmask 255.255.255.248
ifconfig eth1:3 IP_PUB..XXX.XX8 netmask 255.255.255.248
ifconfig eth1:4 IP_PUB..XXX.XX9 netmask 255.255.255.248


# Default : all packets dropped

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP


# For LAN : all packets accepted

iptables -A INPUT -s 10.254.254.0/12 -j ACCEPT
iptables -A OUTPUT -d 10.254.254.0/12 -j ACCEPT
iptables -A FORWARD -s 10.254.254.0/12 -j ACCEPT

# For 3G handsets : all packets accepted

iptables -A INPUT -s 10.150.33.0/24 -j ACCEPT
iptables -A OUTPUT -d 10.150.33.0/24 -j ACCEPT
iptables -A FORWARD -s 10.150.33.0/24 -j ACCEPT


# Loopback interface : all accepted

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT


# LAN: internet access OK

#iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -A FORWARD -o eth0 -i eth1 -j ACCEPT


# translation d'adresse filtrée en entrée: IMAI

iptables -t nat -A PREROUTING -s IP_SRC_THRD-PARTY -d IP_PUB..XXX.XX7 -p tcp
-j DNAT --to-destination 10.254.254.32


# NAT rules

iptables -t nat -A PREROUTING -d IP_PUB..XXX.XX7 -p udp --dport 9201 -j DNAT
--to-destination10.254.254.11
iptables -t nat -A PREROUTING -d IP_PUB..XXX.XX8 -p tcp --dport 8080 -j DNAT
--to-destination10.254.254.12
iptables -t nat -A PREROUTING -d IP_PUB..XXX.XX9 -p tcp --dport 80 -j DNAT
--to-destination10.254.254.25
iptables -t nat -A PREROUTING -d IP_PUB..XXX.XX9 -p tcp --dport 22 -j DNAT
--to-destination10.254.254.25


# Telnet forbidden

iptables -A FORWARD -d IP_PUB..XXX.XX6 -p tcp  --dport 23 -j DROP
iptables -A FORWARD -d IP_PUB..XXX.XX7 -p tcp  --dport 23 -j DROP
iptables -A FORWARD -d IP_PUB..XXX.XX8 -p tcp  --dport 23 -j DROP
iptables -A FORWARD -d IP_PUB..XXX.XX9 -p tcp  --dport 23 -j DROP


# On accepte les ping dans la translation

iptables -t nat -A PREROUTING -d IP_PUB..XXX.XX6 -p icmp  -j DNAT
--to-destination 10.254.254.31
iptables -t nat -A PREROUTING -d IP_PUB..XXX.XX7 -p icmp  -j DNAT
--to-destination 10.254.254.41
iptables -t nat -A PREROUTING -d IP_PUB..XXX.XX8 -p icmp  -j DNAT
--to-destination 10.254.254.42
iptables -t nat -A PREROUTING -d IP_PUB..XXX.XX9 -p icmp  -j DNAT
--to-destination 10.254.254.25


# Masquerading rules

iptables -t nat -A POSTROUTING -s 10.254.254.0/12 -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.150.33.0/24 -o eth1 -j MASQUERADE


Thanks a lot for your help.
Nicolas

-----Message d'origine-----
De : netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] De la part de Antony Stone
Envoyé : samedi 17 janvier 2004 13:09
À : netfilter@lists.netfilter.org
Objet : Re: rtsp-conntrack help needed...

On Saturday 17 January 2004 10:21 am, meillnco wrote:

> Hello all,
>
> This is my first post on this list but I've known netfilter for a while
> now... I'm just about to start using it though.
>
> Here is my question / problem : I have a generic configuration LAN <=>
> FIREWALL <=> INTERNET. My goal is to be able to play a video streamed by a
> public server. However, for the moment, my local clients can't stream as
> all RTP packets are stopped by the firewall.

Why are they being stopped?   What is your ruleset?

> Here comes (maybe ?) rtsp-conntrack...

Maybe, but let's not assume that's the solution until we've clearly
identified 
the problem.

> I was wondering if anyone had already (and successfully) installed this
> patch ? I've been facing this problem for soooo long, any help would be
> much appreciated.

Have you attempted installing this patch and had a problem?   Or are you
just 
asking "how do I install a patch"?

> Especially regarding installation / compliation tips and
> examples of the rules to add in my firewall configuration file.

Tell us what rules you have now and we may be able to suggest what to
change.   
We can't tell you what rules you should be using because we don;t know the 
rest of your protocol requirements or your network configuration.

> PS : sorry if this message is inaccurate, I'm not so deep into Linux...

No problem - it's not Linux we need details of - it's your network and your 
firewall rules.

Regards,

Antony.

-- 
The words "e pluribus unum" on the Great Seal of the United States are from
a 
poem by Virgil entitled "Moretum", which is about cheese and garlic salad 
dressing.

                                                     Please reply to the
list;
                                                           please don't CC
me.





^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: rtsp-conntrack help needed...
  2004-01-17 15:09   ` Nicolas
@ 2004-01-17 21:46     ` Tom Marshall
  0 siblings, 0 replies; 4+ messages in thread
From: Tom Marshall @ 2004-01-17 21:46 UTC (permalink / raw)
  To: Nicolas; +Cc: netfilter

[-- Attachment #1: Type: text/plain, Size: 590 bytes --]

> # Masquerading rules
> 
> iptables -t nat -A POSTROUTING -s 10.254.254.0/12 -o eth1 -j MASQUERADE
> iptables -t nat -A POSTROUTING -s 10.150.33.0/24 -o eth1 -j MASQUERADE

It appears you are using NAT.  This would prevent RTP/RTCP from functioning. 
Please try the RTSP conntrack/nat modules and let me know if they work for
you.  I believe they are available in the current p-o-m, or you can get them
from here:

  http://home.tig-grr.com/rtsp/index.html

-- 
Any task can be completed in only one-third more time than is currently
estimated.
        -- Norman Augustine

[-- Attachment #2: Type: application/pgp-signature, Size: 240 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2004-01-17 21:46 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-01-17 10:21 rtsp-conntrack help needed meillnco
2004-01-17 12:08 ` Antony Stone
2004-01-17 15:09   ` Nicolas
2004-01-17 21:46     ` Tom Marshall

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox