Routing Multicast between two networks

Message

Scratalacha · Post by **Scratalacha** » Tue Mar 15, 2005 1:12 am

I have recently gotten tired of the large amounts of broadcasting and ARP crap flying across our school network so I took the initiative and set up a router/firewall for my local boxes. So far everything is going great except for I am having trouble with accessing peoples iTunes shares. According to ethereal, the mDNS requests are not being routed through my server, as would be expected. I have been looking around for ways to controllably allow multicast through my firewall in order to identify iTunes shares and I feel that mrouted would be the answer. However, I cannot seem to grasp the idea behind it very well no matter how many tutorials I look at, as most of them are trying to encapsulate and tunnel multicasts across a unicast network, as is not the case here. Any help or suggestions would be greatly appreciated. Consider me a person with just enough knowledge to be dangerous

R-Type · Post by **R-Type** » Tue Mar 15, 2005 2:36 am

IIRC, itunes multicast 'discovery' packets have TTL set to 1, so your router would not foward them even if it was set up correctly. Caveat: I have no direct experience with itunes, so I am not sure. You 'might' be able to pull off some iptables trickery to get them forwarded to your subnet anyway.

Scratalacha · Post by **Scratalacha** » Tue Mar 15, 2005 2:42 am

Is the TTL of 1 for the mDNS or the UDP data itself? Either way, there is a TTL mangle patch for iptables that would nicely do the trick it would seem.

R-Type · Post by **R-Type** » Sat Mar 19, 2005 8:54 pm

mDNS only I believe, but check your sniffer..or you could try explicitly connecting to a known itunes host and see if that works. The iptables 'ttl' match and target features should do the trick.

something like:
iptables -t mangle -A FORWARD -i $EXT_ETH -o $INT_ETH -m ttl --ttl-eq 1 -j TTL --ttl-inc 1

..but don't quote me on it as I'm not at a machine where I can test it. You will also want to change this syntax to suit your needs. Also, you will most likely need the 'TTL' target kernel patch from netfilter's patch-o-matic-ng. you can get that from www.netfilter.org. Get the latest 'snapshot' patch-o-matic-ng. you will also need to grab iptables and untar it so that the patch-o-matic runme script can find it (it will prompt you). It's really quite easy as long as the patch applies cleanly (it did for me last week against 2.6.11 vanilla).

Good luck dude..

Scratalacha · Post by **Scratalacha** » Sat Apr 23, 2005 12:08 am

Yes, I had been looking at that route and the problem it seems is that iptables doesnt filter Multicast at all. Even specifying ip ranges in that area in iptables results in an "invalid ip".