You are not logged in.
Pages: 1
Hello,
I am trying to watch IPTV behind my firewall.
a) works without firewall
sudo systemctl stop nftables.service
b) works with suggested firewall, but commented out last command
https://wiki.archlinux.org/index.php/Nf … orkstation
/etc/nftables.conf
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0;
# accept any localhost traffic
iif lo accept
# accept traffic originated from us
ct state established,related accept
# accept ICMP & IGMP
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
ip protocol icmp icmp type { destination-unreachable, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept
ip protocol igmp accept
# activate the following line to accept common local services
#tcp dport { 22, 80, 443 } ct state new accept
# count and drop any other traffic
--> comment out next line
# counter drop
}
}
c) does not work with suggested firewall
https://wiki.archlinux.org/index.php/Nf … orkstation
/etc/nftables.conf
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0;
# accept any localhost traffic
iif lo accept
# accept traffic originated from us
ct state established,related accept
# accept ICMP & IGMP
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
ip protocol icmp icmp type { destination-unreachable, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept
ip protocol igmp accept
# activate the following line to accept common local services
#tcp dport { 22, 80, 443 } ct state new accept
# count and drop any other traffic
counter drop
}
}
Thanks for a hint.
Greetings,
RJGarch
Last edited by RJGarch (2019-08-22 11:08:27)
Offline
Welcome to the arch linux forums RJGarch. Please use code tags for commands and their outputs, code listings e.t.c.
Are you asking for help understanding the final rule which drops all remaining incoming traffic and keeps a count of the number of times that rule is matched
or finding the traffic the rule is dropping which the IPTV would seem to require?
Edit:
For the later lsof or ss may help you identify the ports a process is using.
Last edited by loqs (2019-08-21 23:10:51)
Offline
Hello,
I am trying to watch IPTV behind the firewall. I could not find any HOWTO on the internet, which rules should applied to let it works.
IGMP is sure part of the solution.
Thanks in advance for any help.
Greetings,
RJGarch
Last edited by RJGarch (2019-08-25 19:30:14)
Offline
Don't hijack threads, especially with an empty post: https://wiki.archlinux.org/index.php/Co … _hijacking
Offline
I am trying to watch IPTV behind the firewall. I could not find any HOWTO on the internet, which rules should applied to let it works.
This repeats your first post without adding anything.
IGMP is sure part of the solution.
Both configurations you posted allow IGMP.
What application is used for this IPTV service? Did you try my suggestions to identify ports that application is using?
Have you tried allowing icmpv6, icmp, tcp or udp to identify if it is one of those protocols?
ip protocol PROTOCOL accept
Offline
Thank you loqs,
I have tried to find out more with
lsof -i udp
.
I got the protocol (udp), the ip-address and the port (commplex-main = 5000).
These two lines I have added to my config file:
ip daddr XXX.XX.X.XX accept
udp dport 5000 ct state new accept
I am not sure, if this is the best solution.
/etc/nftables.conf
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0;
# accept any localhost traffic
iif lo accept
# accept traffic originated from us
ct state established,related accept
# accept ICMP & IGMP
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packe>
ip protocol icmp icmp type { destination-unreachable, router-so>
ip protocol igmp accept
# activate the following line to accept common local services
#tcp dport { 22, 80, 443 } ct state new accept
# IPTV
ip daddr XXX.XX.X.XX accept
udp dport 5000 ct state new accept
# count and drop any other traffic
counter drop
}
}
Offline
Not sure, but those lines look like
A any traffic from XXX.XX.X.XX will be accepted and
B traffic on udp port 5000 will always be accepted, regargardless of who sends it.
I doubt that's your intention.
Simple statefull firewall creates a chain specifically for udp connections and sets things up in that new chain.
These snippets from my own config should clarify that method.
# Input chain snippet
ip protocol udp ct state new jump UDP
ip protocol udp reject
chain UDP {
udp dport some-port accept
}
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
(A works at time B) && (time C > time B ) ≠ (A works at time C)
Offline
Hello Lone_Wolf,
thanks for the hint!
I have implemented it right now.
#!/usr/bin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0;
# accept any localhost traffic
iif lo accept
# accept traffic originated from us
ct state established,related accept
# accept ICMP & IGMP
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packe>
ip protocol icmp icmp type { destination-unreachable, router-so>
ip protocol igmp accept
# IPTV
ip protocol udp ct state new jump UDP
ip protocol udp reject
# count and drop any other traffic
counter drop
}
chain UDP {
udp dport 5000 accept
}
}
Offline
Pages: 1