It seems that current kernels dropped the RTSP helper modules (like the existing ip_nat_ftp and ip_conntrack_ftp for FTP). For clients behind a stateful firewall/NAT, this causes that incoming UDP packets don't reach the client when playing media steams. It is suggested by many to make a prerouting rule for it. I expanded this by making use of the iptables recent module, to get this thing more working like stateful connection tracking. This works for different streaming servers, without the need to define their IP in advance. It seems to work well for my home network, where my cell phone is the client playing video streams from the internet via bluetooth on my Gentoo box (with dnsmasq installed). Comments are welcome...
Code: Select all
(...)
iptables -A FORWARD -i br0 -p tcp -s $MOBILE_IP --dport 554 \
-m recent --set --rdest --syn -m state --state NEW -j ACCEPT
iptables -A FORWARD -i br0 -p udp -s $MOBILE_IP -m multiport --dports 6971,10581 \
-m recent --update --rdest --seconds 60 -m state --state NEW -j ACCEPT
iptables -A FORWARD -i eth0 -p udp -d $MOBILE_IP -m multiport --sports 6970:6971,10580:10581 \
-m recent --rcheck --seconds 60 -j ACCEPT
iptables -t nat -A PREROUTING -p udp -m multiport --sports 6970:6971,10580:10581 \
-m recent --rcheck --seconds 60 -j DNAT --to-destination $MOBILE_IP
(...)
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
(...)Documentation:
Recent Module - http://snowman.net/projects/ipt_recent/
RTSP protocol - http://soundscreen.com/streaming/firewall.html
