Discussion:
RTSP & RTP w/ Darwin Thru iptables
Dan Barron
2004-07-21 20:36:37 UTC
Permalink
Hello,

I have been struggling with setting up my iptables firewall to allow for
RTSP & RTP connections to a Darwin Streaming Server. Can anyone point to
me to information on how to setup iptables properly to make this work? I
have a firewall with a public Internet connection and a DMZ and private
LAN. The Darwin server lives on its own server in the DMZ.

Thank you in advance for any insight you can provide for this.

Dan Barron
Antony Stone
2004-07-21 20:50:39 UTC
Permalink
Post by Dan Barron
Hello,
I have been struggling with setting up my iptables firewall to allow for
RTSP & RTP connections to a Darwin Streaming Server.
What protocols does this use? TCP? UDP? Something else?
Post by Dan Barron
I have a firewall with a public Internet connection and a DMZ and private
LAN. The Darwin server lives on its own server in the DMZ.
Does Darwin claim to operate across nat (which it sounds as though you are
using)? Does Darwin specifically state it will not work across nat?

What netfilter rules do you have at present, in the non-working setup, and
what packets are being dropped or unreplied (if you don't know the answer to
this last part, add some LOGging rules to find out what packets are not
either reaching their destination, or being replied to).

Regards,

Antony.
--
Users don't know what they want until they see what they get.

Please reply to the list;
please don't CC me.
Dan Barron
2004-07-22 15:19:25 UTC
Permalink
Post by Antony Stone
Post by Dan Barron
I have been struggling with setting up my iptables firewall to allow for
RTSP & RTP connections to a Darwin Streaming Server.
What protocols does this use? TCP? UDP? Something else?
TCP/UDP Ports 554 & 7070 (RTSP) and UDP ports 6790:6999 (RTP) - the way I
believe it to work is that the stream is asked for and controlled using the
TCP port then the video is streamed over the UDP port.
Post by Antony Stone
Post by Dan Barron
I have a firewall with a public Internet connection and a DMZ and private
LAN. The Darwin server lives on its own server in the DMZ.
Does Darwin claim to operate across nat (which it sounds as though you are
using)? Does Darwin specifically state it will not work across nat?
No and No, I can find little discussion on it, though it does pose problems
from what I can find. All my searching has only found small amounts of
information talking about it.
Post by Antony Stone
What netfilter rules do you have at present, in the non-working setup, and
what packets are being dropped or unreplied (if you don't know the answer to
this last part, add some LOGging rules to find out what packets are not
either reaching their destination, or being replied to).
After more configuration tries, I am seeing that the RTSP TCP packets on
port 7070 get DNAT'd fine to the Darwin Server - but it never responds back
with either a TCP packet or a UDP packet. To make sure the Darwin Server
Linux box allows for Darwin to work properly, the Darwin server has two
eth ports, one on the DMZ, and one on the private LAN, and if I use its
private LAN ip addr in quicktime viewer the Darwin server works fine and
answers back with streaming media no problems. So, this tells me that I
have a firewall issue of some kind.


(internet) ------ firewall ------ (DMZ) ----- Darwin Server
| |
(Private LAN) +- Web Server
|
W2K PC

Here is my current set of relevant rules.

#~~~ Additional udp_packets Chain ~~~

$IPTABLES -N udp_packets

$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 554 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 7070 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 6970:6999 -j ACCEPT

#~~~ INPUT Chain ~~~

$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets
$IPTABLES -A INPUT -p UDP -i $DMZ_IFACE -j udp_packets

#~~~ FORWARD Chain ~~~

$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -p tcp \
-d $DMZ_STREAMING --dport 554 -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -p tcp \
-d $DMZ_STREAMING --dport 7070 -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -p udp \
-d $DMZ_STREAMING --dport 554 -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -p udp \
-d $DMZ_STREAMING --dport 7070 -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -p udp \
-d $DMZ_STREAMING --dport 6970:6999 -j ACCEPT

$IPTABLES -A FORWARD -i $DMZ_IFACE -p udp \
--dport 6970:6999 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -p udp \
--dport 7070 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -p udp \
--dport 554 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -p udp \
--dport 6970:6999 -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -p udp \
--dport 7070 -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -p udp \
--dport 554 -j ACCEPT

#~~~ PREROUTING ~~~

$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p tcp \
--dport 554 -j DNAT --to-destination $DMZ_STREAMING:554
$IPTABLES -t nat -A PREROUTING --dst $INET_IP -p tcp \
--dport 7070 -j DNAT --to-destination $DMZ_STREAMING:7070
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p udp \
--dport 554 -j DNAT --to-destination $DMZ_STREAMING:554
$IPTABLES -t nat -A PREROUTING --dst $INET_IP -p udp \
--dport 7070 -j DNAT --to-destination $DMZ_STREAMING:7070
$IPTABLES -t nat -A PREROUTING --dst $INET_IP -p udp \
--dport 6970:6999 -j DNAT \
--to-destination $DMZ_STREAMING:6970-6999


And here's my log rules and what I see when trying to connect via my
private LAN pc and the public domain address pointing to my public IP.

#~~~ LOG EVERYTHING ~~~

$IPTABLES -A INPUT -i $INET_IFACE -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT INET_IFACE: "
$IPTABLES -A INPUT -i $DMZ_IFACE -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT DMZ_IFACE: "
$IPTABLES -A INPUT -i $LAN_IFACE -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT LAN_IFACE: "

$IPTABLES -A FORWARD -i $INET_IFACE -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD INET_IFACE: "
$IPTABLES -A FORWARD -i $DMZ_IFACE -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD DMZ_IFACE: "
$IPTABLES -A FORWARD -i $LAN_IFACE -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD LAN_IFACE: "

$IPTABLES -A OUTPUT -o $INET_IFACE -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT INET_IFACE: "
$IPTABLES -A OUTPUT -o $DMZ_IFACE -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT DMZ_IFACE: "
$IPTABLES -A OUTPUT -o $LAN_IFACE -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT LAN_IFACE: "

Jul 22 08:06:02 pygmy kernel: IPT FORWARD LAN_IFACE: IN=eth0 OUT=eth3
SRC=192.168.11.10 DST=10.10.1.80 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=11016
PROTO=TCP SPT=1024 DPT=7070 WINDOW=0 RES=0x00 RST URGP=0
Jul 22 08:06:02 pygmy kernel: New not syn:IN=eth0 OUT=eth3
SRC=192.168.11.10 DST=10.10.1.80 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=11016
PROTO=TCP SPT=1024 DPT=7070 WINDOW=0 RES=0x00 RST URGP=0
Alistair Tonner
2004-07-22 19:02:41 UTC
Permalink
On July 22, 2004 11:19 am, Dan Barron wrote:

Please note -- this is somewhat edited for brevity!!!
Post by Dan Barron
Post by Dan Barron
I have been struggling with setting up my iptables firewall to allow
for RTSP & RTP connections to a Darwin Streaming Server.
TCP/UDP Ports 554 & 7070 (RTSP) and UDP ports 6790:6999 (RTP) - the way I
believe it to work is that the stream is asked for and controlled using the
TCP port then the video is streamed over the UDP port.
Post by Dan Barron
I have a firewall with a public Internet connection and a DMZ and
private LAN. The Darwin server lives on its own server in the DMZ.
After more configuration tries, I am seeing that the RTSP TCP packets on
port 7070 get DNAT'd fine to the Darwin Server - but it never responds back
with either a TCP packet or a UDP packet. To make sure the Darwin Server
Linux box allows for Darwin to work properly, the Darwin server has two
eth ports, one on the DMZ, and one on the private LAN, and if I use its
private LAN ip addr in quicktime viewer the Darwin server works fine and
answers back with streaming media no problems. So, this tells me that I
have a firewall issue of some kind.
Ummm... Private LAN ip on a DMZ box??? not a good thing .
What is the Darwin box's default gateway??, and what
IP does it see the connections originating from?

Can you LOG packets coming off the Darwin box at the
firewall in reply to the inbound RTSP requests? ...
I'd suggest LOGging both the DMZ ip an LAN ip of
the Darwin box *grin*

At this moment I'd bet that the Darwin box is replying on the
LAN side of the network.
Post by Dan Barron
(internet) ------ firewall ------ (DMZ) ----- Darwin Server
(Private LAN) +- Web Server
W2K PC
Here is my current set of relevant rules.
#~~~ Additional udp_packets Chain ~~~
$IPTABLES -N udp_packets
$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 554 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 7070 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 6970:6999 -j ACCEPT
Why do you accept these on the firewall?? you want to route them to the
Darwin Box right? --- these should jumped to from FORWARD, not INPUT.
Post by Dan Barron
#~~~ INPUT Chain ~~~
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets
$IPTABLES -A INPUT -p UDP -i $DMZ_IFACE -j udp_packets
#~~~ FORWARD Chain ~~~
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -p tcp \
-d $DMZ_STREAMING --dport 554 -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -p tcp \
-d $DMZ_STREAMING --dport 7070 -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -p udp \
-d $DMZ_STREAMING --dport 554 -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -p udp \
-d $DMZ_STREAMING --dport 7070 -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -p udp \
-d $DMZ_STREAMING --dport 6970:6999 -j ACCEPT
^^^^ This will NOT allow LAN_IFACE origin packets to make the translation
to the DMZ. -- thus testing from your LAN will not work when pointed
at the outside IP.
Post by Dan Barron
$IPTABLES -A FORWARD -i $DMZ_IFACE -p udp \
--dport 6970:6999 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -p udp \
--dport 7070 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -p udp \
--dport 554 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -p udp \
--dport 6970:6999 -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -p udp \
--dport 7070 -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -p udp \
--dport 554 -j ACCEPT
^^^^^Why not allow the Darwin box to reply on *any* port ...
At least until you've pinned down the problem? -- I'm
not sure but I believe that there is a control reply on a
random port before the connection is correctly setup,
--- *BUT* that is hearsay... so I might be wrong.
Post by Dan Barron
#~~~ PREROUTING ~~~
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p tcp \
--dport 554 -j DNAT --to-destination $DMZ_STREAMING:554
$IPTABLES -t nat -A PREROUTING --dst $INET_IP -p tcp \
--dport 7070 -j DNAT --to-destination $DMZ_STREAMING:7070
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p udp \
--dport 554 -j DNAT --to-destination $DMZ_STREAMING:554
$IPTABLES -t nat -A PREROUTING --dst $INET_IP -p udp \
--dport 7070 -j DNAT --to-destination $DMZ_STREAMING:7070
$IPTABLES -t nat -A PREROUTING --dst $INET_IP -p udp \
--dport 6970:6999 -j DNAT \
--to-destination $DMZ_STREAMING:6970-6999
^^^^Again, in respect of LAN connections, this will not mangle any
connections from your LAN, since it includes $INET_IFACE.
Post by Dan Barron
And here's my log rules and what I see when trying to connect via my
private LAN pc and the public domain address pointing to my public IP.
For the time being, log everything from BOTH IP addesses of the
Darwin box and keep in mind that if you want to test the Darwin
box's functionality from the LAN using the PUBLIC addess, you will need
to setup a weird set of rules --

on the way to the DARWIN box you need to BOTH DNAT and SNAT the
connection so that the Darwin box will reply BACK to the firewall for
your LAN connection (where the connection will be unDNATted and
unSNATted)

At the moment your Darwin box is NOT going to route the connection
back through the firewall for a LAN based client because he can talk
DIRECTLY to the LAN client through his own LAN nic. Thus your client
wont see things correctly ... nor will the firewall see the return packets
*ever*

As I said ... a box on both DMZ and LAN is not a good thing *tm*


*grin*

Alistair Tonner
Dan Barron
2004-07-23 00:15:56 UTC
Permalink
Thanks for the help - you have helped me get part way to a solution!

The private LAN ip on the Darwin was certainly causing problems - I took it
of the mix - it was a short term setup to help understand my problem, but
your advice is well taken - there's a reason the DMZ is separate from the
LAN, so I'll keep them that way.

After doing that, oddly enough, now my LAN pc can get the streamed media
using the url that resolves to the public IP, but not someone else out in
the Internet. I now have captured a snapshot of the conversation needed
between the Darwin server and my PC. BTW, as for the 'hearsay" - I saw no
control reply on a random port - all setup occurs on the RTSP port, in my
case 7070.

I'm still trying to wrap my brain around why my LAN works and nothing else.

Dan
Post by Alistair Tonner
Please note -- this is somewhat edited for brevity!!!
Post by Dan Barron
Post by Dan Barron
I have been struggling with setting up my iptables firewall to allow
for RTSP & RTP connections to a Darwin Streaming Server.
TCP/UDP Ports 554 & 7070 (RTSP) and UDP ports 6790:6999 (RTP) - the way I
believe it to work is that the stream is asked for and controlled using the
TCP port then the video is streamed over the UDP port.
Post by Dan Barron
I have a firewall with a public Internet connection and a DMZ and
private LAN. The Darwin server lives on its own server in the DMZ.
After more configuration tries, I am seeing that the RTSP TCP packets on
port 7070 get DNAT'd fine to the Darwin Server - but it never responds back
with either a TCP packet or a UDP packet. To make sure the Darwin Server
Linux box allows for Darwin to work properly, the Darwin server has two
eth ports, one on the DMZ, and one on the private LAN, and if I use its
private LAN ip addr in quicktime viewer the Darwin server works fine and
answers back with streaming media no problems. So, this tells me that I
have a firewall issue of some kind.
Ummm... Private LAN ip on a DMZ box??? not a good thing .
What is the Darwin box's default gateway??, and what
IP does it see the connections originating from?
Can you LOG packets coming off the Darwin box at the
firewall in reply to the inbound RTSP requests? ...
I'd suggest LOGging both the DMZ ip an LAN ip of
the Darwin box *grin*
At this moment I'd bet that the Darwin box is replying on the
LAN side of the network.
Post by Dan Barron
(internet) ------ firewall ------ (DMZ) ----- Darwin Server
(Private LAN) +- Web Server
W2K PC
Here is my current set of relevant rules.
#~~~ Additional udp_packets Chain ~~~
$IPTABLES -N udp_packets
$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 554 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 7070 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 6970:6999 -j ACCEPT
Why do you accept these on the firewall?? you want to route them to the
Darwin Box right? --- these should jumped to from FORWARD, not INPUT.
Post by Dan Barron
#~~~ INPUT Chain ~~~
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets
$IPTABLES -A INPUT -p UDP -i $DMZ_IFACE -j udp_packets
#~~~ FORWARD Chain ~~~
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -p tcp \
-d $DMZ_STREAMING --dport 554 -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -p tcp \
-d $DMZ_STREAMING --dport 7070 -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -p udp \
-d $DMZ_STREAMING --dport 554 -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -p udp \
-d $DMZ_STREAMING --dport 7070 -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -p udp \
-d $DMZ_STREAMING --dport 6970:6999 -j ACCEPT
^^^^ This will NOT allow LAN_IFACE origin packets to make the translation
to the DMZ. -- thus testing from your LAN will not work when pointed
at the outside IP.
Post by Dan Barron
$IPTABLES -A FORWARD -i $DMZ_IFACE -p udp \
--dport 6970:6999 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -p udp \
--dport 7070 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -p udp \
--dport 554 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -p udp \
--dport 6970:6999 -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -p udp \
--dport 7070 -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -p udp \
--dport 554 -j ACCEPT
^^^^^Why not allow the Darwin box to reply on *any* port ...
At least until you've pinned down the problem? -- I'm
not sure but I believe that there is a control reply on a
random port before the connection is correctly setup,
--- *BUT* that is hearsay... so I might be wrong.
Post by Dan Barron
#~~~ PREROUTING ~~~
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p tcp \
--dport 554 -j DNAT --to-destination $DMZ_STREAMING:554
$IPTABLES -t nat -A PREROUTING --dst $INET_IP -p tcp \
--dport 7070 -j DNAT --to-destination $DMZ_STREAMING:7070
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p udp \
--dport 554 -j DNAT --to-destination $DMZ_STREAMING:554
$IPTABLES -t nat -A PREROUTING --dst $INET_IP -p udp \
--dport 7070 -j DNAT --to-destination $DMZ_STREAMING:7070
$IPTABLES -t nat -A PREROUTING --dst $INET_IP -p udp \
--dport 6970:6999 -j DNAT \
--to-destination $DMZ_STREAMING:6970-6999
^^^^Again, in respect of LAN connections, this will not mangle any
connections from your LAN, since it includes $INET_IFACE.
Post by Dan Barron
And here's my log rules and what I see when trying to connect via my
private LAN pc and the public domain address pointing to my public IP.
For the time being, log everything from BOTH IP addesses of the
Darwin box and keep in mind that if you want to test the Darwin
box's functionality from the LAN using the PUBLIC addess, you will need
to setup a weird set of rules --
on the way to the DARWIN box you need to BOTH DNAT and SNAT the
connection so that the Darwin box will reply BACK to the firewall for
your LAN connection (where the connection will be unDNATted and
unSNATted)
At the moment your Darwin box is NOT going to route the connection
back through the firewall for a LAN based client because he can talk
DIRECTLY to the LAN client through his own LAN nic. Thus your client
wont see things correctly ... nor will the firewall see the return packets
*ever*
As I said ... a box on both DMZ and LAN is not a good thing *tm*
*grin*
Alistair Tonner
Alistair Tonner
2004-07-23 01:09:32 UTC
Permalink
Post by Dan Barron
Thanks for the help - you have helped me get part way to a solution!
The private LAN ip on the Darwin was certainly causing problems - I took it
of the mix - it was a short term setup to help understand my problem, but
your advice is well taken - there's a reason the DMZ is separate from the
LAN, so I'll keep them that way.
After doing that, oddly enough, now my LAN pc can get the streamed media
using the url that resolves to the public IP, but not someone else out in
the Internet. I now have captured a snapshot of the conversation needed
between the Darwin server and my PC. BTW, as for the 'hearsay" - I saw no
control reply on a random port - all setup occurs on the RTSP port, in my
case 7070.
I'm still trying to wrap my brain around why my LAN works and nothing else.
Dan
Unh ... . You have INET_IFACE pointed at the LAN interface???

Alistair.
Post by Dan Barron
Post by Alistair Tonner
Please note -- this is somewhat edited for brevity!!!
Post by Dan Barron
Post by Dan Barron
I have been struggling with setting up my iptables firewall to
allow for RTSP & RTP connections to a Darwin Streaming Server.
TCP/UDP Ports 554 & 7070 (RTSP) and UDP ports 6790:6999 (RTP) - the way
I believe it to work is that the stream is asked for and controlled
using the TCP port then the video is streamed over the UDP port.
Post by Dan Barron
I have a firewall with a public Internet connection and a DMZ and
private LAN. The Darwin server lives on its own server in the DMZ.
After more configuration tries, I am seeing that the RTSP TCP packets
on port 7070 get DNAT'd fine to the Darwin Server - but it never
responds back with either a TCP packet or a UDP packet. To make sure
the Darwin Server Linux box allows for Darwin to work properly, the
Darwin server has two eth ports, one on the DMZ, and one on the private
LAN, and if I use its private LAN ip addr in quicktime viewer the
Darwin server works fine and answers back with streaming media no
problems. So, this tells me that I have a firewall issue of some kind.
Ummm... Private LAN ip on a DMZ box??? not a good thing .
What is the Darwin box's default gateway??, and what
IP does it see the connections originating from?
Can you LOG packets coming off the Darwin box at the
firewall in reply to the inbound RTSP requests? ...
I'd suggest LOGging both the DMZ ip an LAN ip of
the Darwin box *grin*
At this moment I'd bet that the Darwin box is replying on the
LAN side of the network.
Post by Dan Barron
(internet) ------ firewall ------ (DMZ) ----- Darwin Server
(Private LAN) +- Web Server
W2K PC
Here is my current set of relevant rules.
#~~~ Additional udp_packets Chain ~~~
$IPTABLES -N udp_packets
$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 554 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 7070 -j
ACCEPT $IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port
6970:6999 -j ACCEPT
Why do you accept these on the firewall?? you want to route them to the
Darwin Box right? --- these should jumped to from FORWARD, not INPUT.
Post by Dan Barron
#~~~ INPUT Chain ~~~
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets
$IPTABLES -A INPUT -p UDP -i $DMZ_IFACE -j udp_packets
#~~~ FORWARD Chain ~~~
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -p tcp \
-d $DMZ_STREAMING --dport 554 -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -p tcp \
-d $DMZ_STREAMING --dport 7070 -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -p udp \
-d $DMZ_STREAMING --dport 554 -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -p udp \
-d $DMZ_STREAMING --dport 7070 -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -p udp \
-d $DMZ_STREAMING --dport 6970:6999 -j ACCEPT
^^^^ This will NOT allow LAN_IFACE origin packets to make the
translation to the DMZ. -- thus testing from your LAN will not work when
pointed at the outside IP.
Post by Dan Barron
$IPTABLES -A FORWARD -i $DMZ_IFACE -p udp \
--dport 6970:6999 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -p udp \
--dport 7070 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -p udp \
--dport 554 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -p udp \
--dport 6970:6999 -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -p udp \
--dport 7070 -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -p udp \
--dport 554 -j ACCEPT
^^^^^Why not allow the Darwin box to reply on *any* port ...
At least until you've pinned down the problem? -- I'm
not sure but I believe that there is a control reply on a
random port before the connection is correctly setup,
--- *BUT* that is hearsay... so I might be wrong.
Post by Dan Barron
#~~~ PREROUTING ~~~
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p tcp \
--dport 554 -j DNAT --to-destination $DMZ_STREAMING:554
$IPTABLES -t nat -A PREROUTING --dst $INET_IP -p tcp \
--dport 7070 -j DNAT --to-destination $DMZ_STREAMING:7070
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p udp \
--dport 554 -j DNAT --to-destination $DMZ_STREAMING:554
$IPTABLES -t nat -A PREROUTING --dst $INET_IP -p udp \
--dport 7070 -j DNAT --to-destination $DMZ_STREAMING:7070
$IPTABLES -t nat -A PREROUTING --dst $INET_IP -p udp \
--dport 6970:6999 -j DNAT \
--to-destination $DMZ_STREAMING:6970-6999
^^^^Again, in respect of LAN connections, this will not mangle any
connections from your LAN, since it includes $INET_IFACE.
Post by Dan Barron
And here's my log rules and what I see when trying to connect via my
private LAN pc and the public domain address pointing to my public IP.
For the time being, log everything from BOTH IP addesses of the
Darwin box and keep in mind that if you want to test the Darwin
box's functionality from the LAN using the PUBLIC addess, you will need
to setup a weird set of rules --
on the way to the DARWIN box you need to BOTH DNAT and SNAT the
connection so that the Darwin box will reply BACK to the firewall for
your LAN connection (where the connection will be unDNATted and
unSNATted)
At the moment your Darwin box is NOT going to route the
connection back through the firewall for a LAN based client because he
can talk DIRECTLY to the LAN client through his own LAN nic. Thus your
client wont see things correctly ... nor will the firewall see the return
packets
*ever*
As I said ... a box on both DMZ and LAN is not a good thing *tm*
*grin*
Alistair Tonner
Dan Barron
2004-07-23 06:24:18 UTC
Permalink
Thanks again for your insights. It looks like it is working now.

For those who are interested - here's the current set of relevant rules
that seem to be working.

# All coming out of DMZ or LAN and all with established connections on any
interface
$IPTABLES -A FORWARD -i $DMZ_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Forward to RTSP in DMZ STREAMING SERVER
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -p tcp -d $DMZ_STREAMING
--dport 554 -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -p tcp -d $DMZ_STREAMING
--dport 7070 -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -p udp -d $DMZ_STREAMING
--dport 554 -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -p udp -d $DMZ_STREAMING
--dport 7070 -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -p udp -d $DMZ_STREAMING
--dport 6970:6999 -j ACCEPT

# DNAT to QTSS Server
$IPTABLES -t nat -A PREROUTING --dst $INET_IP -p tcp --dport 554 -j DNAT
--to-destination $DMZ_STREAMING:554
$IPTABLES -t nat -A PREROUTING --dst $INET_IP -p tcp --dport 7070 -j DNAT
--to-destination $DMZ_STREAMING:7070
$IPTABLES -t nat -A PREROUTING --dst $INET_IP -p udp --dport 554 -j DNAT
--to-destination $DMZ_STREAMING:554
$IPTABLES -t nat -A PREROUTING --dst $INET_IP -p udp --dport 7070 -j DNAT
--to-destination $DMZ_STREAMING:7070
$IPTABLES -t nat -A PREROUTING --dst $INET_IP -p udp --dport 6970:6999 -j
DNAT --to-destination $DMZ_STREAMING:6970-6999

# SNAT - Anything heading out the Public interface gets the public IP
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

A working streamed sample can be seen at http://darwin.dswllc.com/sample.html.

Dan Barron

Tom Marshall
2004-07-22 13:08:39 UTC
Permalink
Post by Dan Barron
Hello,
I have been struggling with setting up my iptables firewall to allow for
RTSP & RTP connections to a Darwin Streaming Server. Can anyone point to
me to information on how to setup iptables properly to make this work? I
have a firewall with a public Internet connection and a DMZ and private
LAN. The Darwin server lives on its own server in the DMZ.
Thank you in advance for any insight you can provide for this.
There is a patch to create an RTSP module here:

http://home.tig-grr.com/rtsp/

It is a bit out of date. If the patch does not apply cleanly, let me know
and I can update it.

This has also been packaged into a patch-o-matic entry. I did not do the
packaging and I don't use patch-o-matic, so if you encounter issues please
post them to this list.
--
Hippopotomonstrosesquippedaliophobia is the fear of long words
Loading...