On 8/27/19 12:52 AM, Nicolas Boullis wrote: > Hi, > > I’ve been using Shorewall for ages, but only at a very basic level. > > Now, I need to use RTSP across my Shorewall-based NATting firewall. Note > that RTSP is only a control protocol. When requested by the client, the > server sends the real-time (audio-video) data back to the client as a > UDP stream. Hence, a helper is needed to accepts this UDP stream as > related to the RTSP connection. > > As far as I know, such a helper is not (yet) available in the pristine > Linux kernel. But someone developped one, available at > https://github.com/maru-sama/rtsp-linux > > I could compile the module for my current kernel, and “patch” my > firewall, with iptables commands, after running shorewall. For the > reference, here are the iptables commands I used, mimicking what > Shorewall did: > iptables -t raw -A OUTPUT -d 212.27.38.253 -p tcp -m tcp --dport 554 -j CT > --helper rtsp > iptables -t raw -A PREROUTING -d 212.27.38.253 -p tcp -m tcp --dport 554 -j > CT --helper rtsp > > It works fine, but, now, I’d like to integrate this in my Shorewall > configuration, rather than “patch” it. > > I tried adding the following line in my /etc/shorewall/rules file: > HELPER all :212.27.38.253 tcp 554 - - > - - - - - - - rtsp > > Unfortunately, Shorewall the complains: > ERROR: Unrecognized helper (rtsp) /etc/shorewall/rules (line 21) > > As I understand it, Shorewall has a list of known helpers, defined in > Config.pm, and won’t use any helper that’s not in this list… > > Is there a way to declare extra helpers for use in Shorewall, besides > patching Config.pm? Or is patching Config.pm the right way to do? > > Any help is welcome. > > Note that I’m currently using an old Debian Jessie system with Linux > 4.9.168 and Shorewall 4.6.4.3. I might upgrade Shorewall, at least to > 5.0.15, if needed. >
The following conntrack file rule should work in Shorewall 5.0.15: IPTABLES(CT --helper rtsp) - 212.27.38.253 tcp 554 -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
