topic Re: iptables nat stream video in Operating System - Linux

iptables nat stream video

Marco_113 — Mon, 17 Jan 2005 05:56:27 GMT

Hi all,

i've aproblem with iptables NAT.

I have an internal server with some file video mp4. I want to see from internet those stream video.

the rules i've applied
iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 554
-j DNAT --to ${SERVER_IP1}:554
iptables -A FORWARD -p tcp -d ${SERVER_IP1} --dport 554 -o
${INSIDE_DEVICE} -j ACCEPT
iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 7070
-j DNAT --to ${SERVER_IP1}:7070
iptables -A FORWARD -p tcp -d ${SERVER_IP1} --dport 7070 -o
${INSIDE_DEVICE} -j ACCEPT
iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 6970:6999
-j DNAT --to ${SERVER_IP1}:6970-6999
iptables -A FORWARD -p tcp -d ${SERVER_IP1} --dport 6970:6999 -o
${INSIDE_DEVICE} -j ACCEPT

And the same for udp protocol, but it does not work.
I don't see any drop in the log and my quick time client says error 10060.

My network has 4 lans, so if i try to get stream video from another lan (not the same of the server one) i can see the video.

From internet it does not work.
Any suggestion?
Thanks

Re: iptables nat stream video

Steven E. Protter — Mon, 17 Jan 2005 08:40:14 GMT

I doubt its a problem with iptables nat, its probably a configuration probelm. You may have certain ip addresses or ports blocked elsewhere in your iptabels file.

I know you are trying to protect your internal ip configuration, but it would be easier to help if you attached your /etc/sysconfig/iptables configuration file.

One thing that jumps out at me is this:

iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 6970:6999
-j DNAT --to ${SERVER_IP1}:6970-6999

this 6970-6999 methodology. I'm not saying its wrong, I'm just saying I experimented with this for a while and never got it working to my satisfaction.

If you don't have a set configuration file than iptables -L output after the configuration is applied would be helpful.

After each line of code, you might want this little diagnostic:

iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 6970:6999
-j DNAT --to ${SERVER_IP1}:6970-6999
rc=$?

echo "return code: $rc"

If you get a non-zero return code you know you have a problematic line of code.

SEP

Re: iptables nat stream video

Marco_113 — Mon, 17 Jan 2005 10:31:03 GMT

Hi sep,

On the firewall, just under the nat rules i put a line that logs everything coming from internet.

ther's something strange:

the url I request is http://xxxxxxxx/xxx.mp4

If i send this request with my browser, it doesn't work, and i don't see any log line in firewall /var/log/messages

if I open my quicktime client and I send the same request with it, but with rtsp protocol (rtsp://xxxxxxxx/xxx.mp4)
it works, and i see the log lines on the firewall!!

Suggestions?
Thanks

Re: iptables nat stream video

Sergejs Svitnevs — Mon, 17 Jan 2005 11:15:02 GMT

hello,

You have to install NetFilter Patch-o-Matic "Extras" for iptables; this adds CONFIG_IP_NF_RTSP module for RTSP protocol.

check out the following link:
http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-rtsp-conntrack

Regards,
Sergejs