[Решено] IP-TV и Shorewall (Система блокирует IP-TV трафик)

yamah · Сообщение **yamah** » 13.05.2012 20:50

Имеется проблема с просмотром IP-TV при контроле трафика Shorewall. Стоит выбрать в MMC пункт "Межсетевой экран отключен," плейеры прекрасно воспроизводят IP-TV контент.

При запущенной службе в правилах IPTABLES сейчас следующее:

Код: Выделить всё

sudo iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
Ifw        all  --  anywhere             anywhere
dynamic    all  --  anywhere             anywhere             ctstate INVALID,NEW
net2fw     all  --  anywhere             anywhere
net2fw     all  --  anywhere             anywhere
loc2fw     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
Reject     all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:INPUT:REJECT:"
reject     all  --  anywhere             anywhere            [goto]

Chain FORWARD (policy DROP)
target     prot opt source               destination
dynamic    all  --  anywhere             anywhere             ctstate INVALID,NEW
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
net2loc    all  --  anywhere             anywhere
net2loc    all  --  anywhere             anywhere
loc2net    all  --  anywhere             anywhere
loc2net    all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
Reject     all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:FORWARD:REJECT:"
reject     all  --  anywhere             anywhere            [goto]

Chain OUTPUT (policy DROP)
target     prot opt source               destination
fw2net     all  --  anywhere             anywhere
fw2net     all  --  anywhere             anywhere
fw2loc     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
Reject     all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:OUTPUT:REJECT:"
reject     all  --  anywhere             anywhere            [goto]

Chain Drop (2 references)
target     prot opt source               destination
           all  --  anywhere             anywhere
reject     tcp  --  anywhere             anywhere             tcp dpt:auth /* Auth */
dropBcast  all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere             icmp fragmentation-needed /* Needed ICMP types */
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded /* Needed ICMP types */
dropInvalid  all  --  anywhere             anywhere
DROP       udp  --  anywhere             anywhere             multiport dports loc-srv,microsoft-ds /* SMB */
DROP       udp  --  anywhere             anywhere             udp dpts:netbios-ns:netbios-ssn /* SMB */
DROP       udp  --  anywhere             anywhere             udp spt:netbios-ns dpts:1024:65535 /* SMB */
DROP       tcp  --  anywhere             anywhere             multiport dports loc-srv,netbios-ssn,microsoft-ds /* SMB */
DROP       udp  --  anywhere             anywhere             udp dpt:1900 /* UPnP */
dropNotSyn  tcp  --  anywhere             anywhere
DROP       udp  --  anywhere             anywhere             udp spt:domain /* Late DNS Replies */

Chain Ifw (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere             match-set ifw_wl src
DROP       all  --  anywhere             anywhere             match-set ifw_bl src

Chain Reject (3 references)
target     prot opt source               destination
           all  --  anywhere             anywhere
reject     tcp  --  anywhere             anywhere             tcp dpt:auth /* Auth */
dropBcast  all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere             icmp fragmentation-needed /* Needed ICMP types */
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded /* Needed ICMP types */
dropInvalid  all  --  anywhere             anywhere
reject     udp  --  anywhere             anywhere             multiport dports loc-srv,microsoft-ds /* SMB */
reject     udp  --  anywhere             anywhere             udp dpts:netbios-ns:netbios-ssn /* SMB */
reject     udp  --  anywhere             anywhere             udp spt:netbios-ns dpts:1024:65535 /* SMB */
reject     tcp  --  anywhere             anywhere             multiport dports loc-srv,netbios-ssn,microsoft-ds /* SMB */
DROP       udp  --  anywhere             anywhere             udp dpt:1900 /* UPnP */
dropNotSyn  tcp  --  anywhere             anywhere
DROP       udp  --  anywhere             anywhere             udp spt:domain /* Late DNS Replies */

Chain dropBcast (2 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
DROP       all  --  anywhere             base-address.mcast.net/4

Chain dropInvalid (2 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere             ctstate INVALID

Chain dropNotSyn (2 references)
target     prot opt source               destination
DROP       tcp  --  anywhere             anywhere             tcpflags:! FIN,SYN,RST,ACK/SYN

Chain dynamic (2 references)
target     prot opt source               destination

Chain fw2loc (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere

Chain fw2net (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere

Chain loc2fw (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere

Chain loc2net (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere

Chain logdrop (0 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere

Chain logreject (0 references)
target     prot opt source               destination
reject     all  --  anywhere             anywhere

Chain net2fw (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere             multiport dports sunrpc,nfs,4002,4001,4003,4004,ipp,mysql,8881,30002,1224
ACCEPT     tcp  --  anywhere             anywhere             multiport dports www,https,ssh,sunrpc,nfs,4002,4001,4003,4004,ipp,mysql,6881:6999,6881,30001
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 1224
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
Drop       all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:net2fw:DROP:"
DROP       all  --  anywhere             anywhere

Chain net2loc (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
Drop       all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:net2loc:DROP:"
DROP       all  --  anywhere             anywhere

Chain reject (10 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere             ADDRTYPE match src-type BROADCAST
DROP       all  --  base-address.mcast.net/4  anywhere
DROP       igmp --  anywhere             anywhere
REJECT     tcp  --  anywhere             anywhere             reject-with tcp-reset
REJECT     udp  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     icmp --  anywhere             anywhere             reject-with icmp-host-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain shorewall (0 references)
target     prot opt source               destination

Роутер, конечно, трафик лишний блокирует. Но как бы хотелось трафик еще лучше контролировать.
Что еще нужно разрешить?

Порты в мануалах ровайдера 30001/TCP, 30002/UDP. 1224 - порт на серверах, вещающих каналы.

corvus42 · Сообщение **corvus42** » 13.05.2012 21:32

У меня всё работает при следующих условиях:
1. В файл /etc/shorewall/rules добавлена строка

Код: Выделить всё

ACCEPT          all             fw:224.0.0.0/4

2. В файл /etc/shorewall/shorewall.conf добавлена строка

Код: Выделить всё

MULTICAST=Yes

После правки указанных конфигурационных файлов необходимо перезапустить shorewall

Код: Выделить всё

# shorewall restart

yamah · Сообщение **yamah** » 13.05.2012 22:15

corvus42, огромное спасибо! Заработало при включенном shorewall.

unixforum.org

[Решено] IP-TV и Shorewall (Система блокирует IP-TV трафик)

[Решено] IP-TV и Shorewall

Re: [Решено] IP-TV и Shorewall

Re: [Решено] IP-TV и Shorewall