Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 11-20-2006, 10:29 AM   #1
Registered: Jul 2002
Location: Florida
Distribution: Centos, Slackware
Posts: 260

Rep: Reputation: 30
iptables problem: DNAT rule for RTP stream

I want to dynamically create DNAT rules for
RTP streams (port-mapping for a SIP proxy).

If my proxy adds his rule before the first packet
of the RTP stream hits the port, all is well. But,
if the stream begins arriving before my rule is in
place, it never matches. I cannot always be
sure that the info for setting up the rule
arrives sufficiently ahead of the stream.

I suspect if there is a simple resolution to my
problem. Does anyone else see this behavior,
and will share with me the solution?

I am using kernel, and iptables 1.3.3.

My rules are similar to this:
iptables -I PREROUTING -t nat -p UDP \
-d<public_ip> --dport <public_port> \
-j DNAT --to-destination <private_iport>
iptables -I FORWARD -p UDP \
-d <private_ip> --dport <private_port>

Old 11-21-2006, 10:33 PM   #2
HCL Maintainer
Registered: Jan 2006
Distribution: (H)LFS, Gentoo
Posts: 2,450

Rep: Reputation: 76
I'm not quite sure what you're looking for. Are you proposing some sort of queuing system or a buffer to hold all RTP packets until the rule is added? This would be weird, because before adding the rule, RTP packets would be indistinguishable from other UDP packets. I don't understand why the stream would no longer be matched, since UDP is a connection-less protocol. You might somehow use a netfilter queue and a userspace program the re-emits premature packets. You might also use the ip mark extension to mark packets, which you will later control the priority of using tc (although not quite sure how this would help you out, just delaying the inevitable isn't an elegant solution).

What method are you using to add the netfilter rules? There has been a little (not a lot) of work done in using netfilter with SIP and/or RTP. You might not want to re-invent the wheel. From the patch-o-matic-ng repository, there is a module called sip-conntrack-nat, whose purpose is:
The SIP conntrack/NAT modules support the connection tracking/NATing of
the data streams requested on the dynamic RTP/RTCP ports, as well as mangling
of SIP requests/responses.
You might want to take a look at this (or maybe, email the author to see if he's run across your problem). You will probably need to patch your kernel and upgrade to the latest iptables.
Old 11-21-2006, 10:34 PM   #3
HCL Maintainer
Registered: Jan 2006
Distribution: (H)LFS, Gentoo
Posts: 2,450

Rep: Reputation: 76
P.S., you might want to look at rtsp-conntrack (from the same repository, but different author).


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables DNAT problem eantoranz Linux - Networking 2 09-12-2006 01:00 PM
ethereal RTP stream merge cxy0481 Linux - Software 3 06-14-2006 11:31 AM
iptables 1 to 1 DNAT routing problem MarleyGPN Linux - Networking 3 12-13-2005 04:24 PM
Strange problem about iptables DNAT. zufeng Linux - Networking 1 06-28-2003 11:09 AM
problem about iptables DNAT. zufeng Linux - Security 3 06-19-2003 09:29 AM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:39 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration