I have a standard 3 interface shorewall setup and I want to receive multicast stuff from ''net'' -> ''loc''. This requires me, first, to do an IGMP join which involves 192.168.1.x -> 224.0.0.x being NATed out as the ''net'' interface''s IP address. Obviously replies have to be NATed back to ''loc'' addresses. Can shorewall / iptables cope with this? Dirk
On Wed, 2005-01-12 at 15:20 +0000, Dirk Koopman wrote:> I have a standard 3 interface shorewall setup and I want to receive > multicast stuff from ''net'' -> ''loc''. This requires me, first, to do an > IGMP join which involves 192.168.1.x -> 224.0.0.x being NATed out as the > ''net'' interface''s IP address. Obviously replies have to be NATed back to > ''loc'' addresses. > > Can shorewall / iptables cope with this?Looking through /usr/share/shorewall/firewall it appears that 224.0.0.0/4 is treated in the same way as 255.255.255.255 and thus, to my untrained eye, multicast and shorewall do not go together. But I would love to be proved wrong... Dirk
Dirk Koopman wrote:> On Wed, 2005-01-12 at 15:20 +0000, Dirk Koopman wrote: > >>I have a standard 3 interface shorewall setup and I want to receive >>multicast stuff from ''net'' -> ''loc''. This requires me, first, to do an >>IGMP join which involves 192.168.1.x -> 224.0.0.x being NATed out as the >>''net'' interface''s IP address. Obviously replies have to be NATed back to >>''loc'' addresses. >> >>Can shorewall / iptables cope with this? > > > Looking through /usr/share/shorewall/firewall it appears that > 224.0.0.0/4 is treated in the same way as 255.255.255.255 and thus, to > my untrained eye, multicast and shorewall do not go together. > > But I would love to be proved wrong...You are wrong but I don''t have the time today to educate you about how multicast works. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:>> >> >>Looking through /usr/share/shorewall/firewall it appears that >>224.0.0.0/4 is treated in the same way as 255.255.255.255 and thus, to >>my untrained eye, multicast and shorewall do not go together. >> >>But I would love to be proved wrong... > > > You are wrong but I don''t have the time today to educate you about how > multicast works. >May I suggest that you search Google for "multicast route Linux" -- I''m sure that there is enough there to keep you busy. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Wed, 2005-01-12 at 08:58 -0800, Tom Eastep wrote:> Tom Eastep wrote: > > >> > >> > >>Looking through /usr/share/shorewall/firewall it appears that > >>224.0.0.0/4 is treated in the same way as 255.255.255.255 and thus, to > >>my untrained eye, multicast and shorewall do not go together. > >> > >>But I would love to be proved wrong... > > > > > > You are wrong but I don''t have the time today to educate you about how > > multicast works. > > > > May I suggest that you search Google for "multicast route Linux" -- I''m > sure that there is enough there to keep you busy. >Thank you, but those references are out of date or things that I have already done. I am specifically asking about shorewall and getting the rules correct so that I can forward multicast packets with NAT. So I start helix up on another box on ''loc'' and get: 17:23:16.974662 IP 192.168.1.10 > 224.0.0.22: igmp v3 report, 1 group record(s) 17:23:20.007233 IP 192.168.1.10 > 224.0.0.22: igmp v3 report, 1 group record(s) I see this on ''net'' being sent to me for the same time (62.3.82.18 being the other end of my ''net'' P-t-P ppp interface): 17:14:30.294713 IP 62.3.82.18 > 224.0.0.1: igmp query v2 17:19:29.358943 IP 62.3.82.18 > 224.0.0.1: igmp query v2 17:24:27.362536 IP 62.3.82.18 > 224.0.0.1: igmp query v2 Currently it seems to be silently dropping 224.0.0.0/4 packets on all interfaces. I am running a 2.6.9 kernel with all the multicast options switched on. All interfaces ppp0 (net) / eth0 (loc) / eth1 (dmz) have MULTICAST flags set. In shorewall.conf: IP_FORWARDING=On. There are no messages in syslog. In rules I have: ACCEPT net fw 2 ACCEPT fw net 2 ACCEPT loc fw 2 ACCEPT fw loc 2 #ACCEPT loc net 2 I have tried all the obvious (to me) combinations. The ISP is setup to route multicast packets to/from me and return replies, all I have to do is make the shorewall box forward those packets with NAT applied. No ''routing'' as such is required. Now if there is some obvious fact that I am missing, please give me a clue. Because google, so far, has been no help. Dirk
Dirk Koopman wrote:> > > The ISP is setup to route multicast packets to/from me and return > replies, all I have to do is make the shorewall box forward those > packets with NAT applied. No ''routing'' as such is required.Well, I haven''t tried it but everything that I''ve read says that you have to: a) Add routes to 224.0.0.0/4 on each interface that is to be sent multicast packets. b) Run a multicast routing daemon such as Zebra, mrouted, or pimd in order to route the multicasts. c) Enable forwarding of multicast in your firewall rules (you have at least done that for IGMP). So I suggest that you try this: a) shorewall clear b) iptables -t nat -o ppp0 -j MASQUERADE c) Get your multicast routing working d) shorewall start e) If multicast routing stops working when you "shorewall start" then let us know and we''ll try to help. -Tom PS -- the rules that you see involving 224.0.0.0/4 in your current Netfilter ruleset are only applied JUST BEFORE A DROP OR REJECT POLICY IS APPLIED. In other words, the only thing that those rules do is stop policy logging of broadcast and multicast. You can remove those rules by: a) cp /usr/share/shorewall/action.Drop /etc/shorewall b) cp /usr/share/shorewall/action.Reject /etc/shorewall c) edit /etc/shorewall/action.Drop and action.Reject and remove the ''dropBcast'' action invocation. d) Remove any ''nosmurfs'' options from your interfaces. You will now have a ruleset that is totally free of references to 224.0.0.0/4. You might want to further modify the two actions to drop traffic to any of your broadcast addresses including 255.255.255.255 -- otherwise, your log will be pretty noisy with broadcast traffic, especially if you have Windoze systems. -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Dirk Koopman wrote: > >> >>The ISP is setup to route multicast packets to/from me and return >>replies, all I have to do is make the shorewall box forward those >>packets with NAT applied. No ''routing'' as such is required. > > > Well, I haven''t tried it but everything that I''ve read says that you > have to: > > a) Add routes to 224.0.0.0/4 on each interface that is to be sent > multicast packets. > b) Run a multicast routing daemon such as Zebra, mrouted, or pimd in > order to route the multicasts. > c) Enable forwarding of multicast in your firewall rules (you have at > least done that for IGMP). > > So I suggest that you try this: > > a) shorewall clear > b) iptables -t nat -o ppp0 -j MASQUERADEOops -- make that: iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key