Is anyone able to confirm that kmod-ipt-nathelper-rtsp is still working in last releases ?
It used to work on my WNDR3800 in BB, with a 3.10 kernel. I've just upgraded to 18.06.1, the module seems to be loaded but there is no udp/rtp redirection from wan to lan.
root@OpenWrt:~# lsmod | grep rtsp
nf_conntrack 52256 15 nf_conntrack_ipv6,xt_state,xt_helper,xt_conntrack,xt_connmark,xt_connlimit,xt_connbytes,xt_CT,nf_nat_rtsp,nf_nat_masquerade_ipv4,nf_conntrack_ipv4,nf_nat_ipv4,nf_nat,nf_conntrack_rtsp,nf_conntrack_rtcache
nf_conntrack_rtsp 5664 1 nf_nat_rtsp
nf_nat 9424 5 xt_nat,nf_nat_rtsp,nf_nat_redirect,nf_nat_masquerade_ipv4,nf_nat_ipv4
nf_nat_rtsp 3664 0
I believe you have to invoke the helpers now.
You shouldn't need to unless you have a VoIP server that you provide to the Public Internet...did you enable the SIP connection tracker?
I have read a few threads about upgrading to newer versions of OpenWrt (post-17.01.4) - that connection trackers were needed for certain protocols. Perviously they did not have to be explicitly enabled/installed.
My questions are:
Do I need to explicitly enable/install a SIP Connection tracker to run a SIP server and to make outbound SIP connections?
If so, how do I enable it for my server's IP (and other SIP devices) in my network?
How can I enable the helper ?
Actually, I'm using this helpers for TV, it's quite different from SIP tracking as there is no need to rewrite packet.
Is this multicast...?
If so, you need something like
igmpproxy, not connection tracking.
Well, it's not multicast (the provider masks the multicast with a rtsp relay in its IAD).
Edit: when I tried to open a rtsp steam, I've this log in dmesg:
> nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead.
In the thread I linked, that would be to set
net.netfilter.nf_conntrack_helper to 1.
In iptables you would add:
-j CT --helper foo
echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper
solved my isssue. But it's not a clean solution, right ?
I'm tring to build an iptables entry... without success:
root@OpenWrt:~# iptables -t raw -A OUTPUT -p tcp -m tcp --dport 554 -j CT --helper rtsp
iptables v1.6.2: can't initialize iptables table `raw': Table does not exist (do you need to insmod?)
Add the entry to
/etc/sysctl.conf for a "clean solution."
Are you sure you have version 18 installed? I thought the RAW table was loded automatically...
To get access to the RAW table, install
Sure ! When I said "clean solution", I was refering the security warning in dmesg encouraging the CT-based firewall rules.
Obviously kmod-ipt-raw package is not pre-install on 18.06.1.
Oh, of course if gives you a message, it's a firewall helper, and you turned it on. That is a security risk.
It's preinstalled on all of my version 18 devices: