Answer the question
In order to leave comments, you need to log in
J
J
jidckii2014-12-06 13:53:25
jidckii, 2014-12-06 13:53:25
How to configure igmpproxy?
Hello.
In general, such a problem that igmpproxy does not work.
At home, a wheelbarrow on debian as a router.
eth0 - Internet
eth1 - local network (192.168.0.0/24)
The daemon starts, but gives the following messages in debug mode:
sudo /usr/local/sbin/igmpproxy -d /usr/local/etc/igmpproxy.conf
The origin for route 239.255.255.250 changed from 192.168.0.2 to 192.168.0.3
The origin for route 239.255.255.250 changed from 192.168.0.3 to 192.168.0.1
The origin for route 239.255.255.250 changed from 192.168.0.1 to 192.168.0.60If you listen to eth0 with tcpdump, then you can see that IPTV is pouring in full:
sudo tcpdump -i eth0 net 224.0.0.0/4
...
15:40:09.611407 IP 212.49.127.114.52669 > 239.255.2.255.5001: UDP, length 1426
15:40:09.613423 IP 212.49.127.114.52669 > 239.255.2.255.5001: UDP, length 1426
15:40:09.615441 IP 212.49.127.114.52669 > 239.255.2.255.5001: UDP, length 1426
15:40:09.617477 IP 212.49.127.114.52669 > 239.255.2.255.5001: UDP, length 1426
15:40:09.617589 IP 212.49.127.114.52669 > 239.255.2.255.5001: UDP, length 1426
15:40:09.620438 IP 212.49.127.114.52669 > 239.255.2.255.5001: UDP, length 1426
15:40:09.622430 IP 212.49.127.114.52669 > 239.255.2.255.5001: UDP, length 1426
15:40:09.624435 IP 212.49.127.114.52669 > 239.255.2.255.5001: UDP, length 1426
....iftop also shows that the utilization is equal to the bitrate of the TV channel ~ 6 Mbps.
But that's all.
In eth1 igmp traffic does not leave.
Below are all the configs you need:
$ sudo route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 5.189.13.1 0.0.0.0 UG 0 0 0 eth0
5.189.13.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
224.0.0.0 0.0.0.0 240.0.0.0 U 4 0 0 eth0$ cat igmpproxy.conf
quickleave
phyint eth0 upstream ratelimit 0 threshold 1
altnet 212.49.127.0/24
altnet 192.168.0.0/16
altnet 224.0.0.0/4
phyint eth1 downstream ratelimit 0 threshold 1$ sudo iptables -L -n -v
Chain INPUT (policy ACCEPT 795K packets, 92M bytes)
pkts bytes target prot opt in out source destination
50280 16M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
1100 175K ACCEPT 47 -- * * 0.0.0.0/0 0.0.0.0/0
324K 451M ACCEPT all -- eth0 * 0.0.0.0/0 224.0.0.0/4
0 0 ACCEPT all -- eth0 * 224.0.0.0/4 0.0.0.0/0
Chain FORWARD (policy ACCEPT 1055 packets, 128K bytes)
pkts bytes target prot opt in out source destination
201K 33M ACCEPT all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0
323K 411M ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
324K 462M REJECT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 REJECT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 REJECT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 REJECT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
39 2496 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x06/0x02 TCPMSS clamp to PMTU
0 0 ACCEPT all -- * * 0.0.0.0/0 224.0.0.0/4
0 0 ACCEPT all -- * * 224.0.0.0/4 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 1084K packets, 502M bytes)
pkts bytes target prot opt in out source destination$ sudo iptables-save
# Generated by iptables-save v1.4.14 on Sun Dec 7 19:02:27 2014
*mangle
:PREROUTING ACCEPT [11275793:9270056172]
:INPUT ACCEPT [2038832:482940278]
:FORWARD ACCEPT [9366478:9009902518]
:OUTPUT ACCEPT [2292405:1380351006]
:POSTROUTING ACCEPT [11534519:10162133158]
-A PREROUTING -d 224.0.0.0/4 -p udp -j TTL --ttl-inc 1
-A PREROUTING -d 224.0.0.0/4 -p udp -j TTL --ttl-inc 2
COMMIT
# Completed on Sun Dec 7 19:02:27 2014
# Generated by iptables-save v1.4.14 on Sun Dec 7 19:02:27 2014
*nat
:PREROUTING ACCEPT [2752:295544]
:INPUT ACCEPT [2636:287075]
:OUTPUT ACCEPT [168:14400]
:POSTROUTING ACCEPT [186:15543]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 16270 -j DNAT --to-destination 192.168.0.4:16270
-A PREROUTING -i eth0 -p udp -m udp --dport 16270 -j DNAT --to-destination 192.168.0.4:16270
-A PREROUTING -i eth0 -p tcp -m tcp --dport 32332 -j DNAT --to-destination 192.168.0.60:32332
-A PREROUTING -i eth0 -p udp -m udp --dport 32332 -j DNAT --to-destination 192.168.0.60:32332
-A POSTROUTING -s 192.168.0.0/16 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/16 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/16 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/16 -o eth0 -j MASQUERADE
-A POSTROUTING -s 172.16.0.0/12 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/16 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/16 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/16 -o eth0 -j MASQUERADE
COMMIT
# Completed on Sun Dec 7 19:02:27 2014
# Generated by iptables-save v1.4.14 on Sun Dec 7 19:02:27 2014
*filter
:INPUT ACCEPT [6089:1046504]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5715:1102152]
-A INPUT -i lo -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A INPUT -d 224.0.0.0/4 -i eth0 -j ACCEPT
-A INPUT -s 224.0.0.0/4 -i eth0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A FORWARD -d 192.168.0.4/32 -p tcp -m tcp --dport 16270 -j ACCEPT
-A FORWARD -d 192.168.0.4/32 -p udp -m udp --dport 16270 -j ACCEPT
-A FORWARD -d 192.168.0.60/32 -p tcp -m tcp --dport 32332 -j ACCEPT
-A FORWARD -d 192.168.0.60/32 -p udp -m udp --dport 32332 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -d 224.0.0.0/4 -j ACCEPT
-A FORWARD -s 224.0.0.0/4 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Sun Dec 7 19:02:27 2014$ cat rc.local
#!/bin/sh -e
...
# Правила для igmpproxy
modprobe ipt_TTL
iptables -t filter -A INPUT -d 224.0.0.0/240.0.0.0 -i eth0 -j ACCEPT
iptables -t filter -A INPUT -s 224.0.0.0/240.0.0.0 -i eth0 -j ACCEPT
iptables -t filter -A FORWARD -d 224.0.0.0/240.0.0.0 -j ACCEPT
iptables -t filter -A FORWARD -s 224.0.0.0/240.0.0.0 -j ACCEPT
iptables -t mangle -A PREROUTING -d 224.0.0.0/240.0.0.0 -p udp -j TTL --ttl-inc 1$ cat /proc/sys/net/ipv4/conf/eth0/force_igmp_version
2It seems to be everything that could be indicated.
tell me where to dig?
2 answer(s)
@jidckii
Naturally, all igmp traffic dropped.
J
jidckii, 2014-12-07 @jidckii
Figured it out myself.
I was ruined by a stupid copy-paste from the forum when NAT was raised.
in the config there was a rule:
# Рубим доступ из и-нет во внутреннюю сеть
iptables -A FORWARD -i eth0 -o eth1 -j REJECTNaturally, all igmp traffic dropped.
Similar questions
E
A
M
I
D
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question