Hi,
I try to use an iptables command in conjunction with SuSEfirewall2 (version 3.6.295 on openSUSE 12.2, kernel-desktop-3.4.47-2.38.1.x86_64).
Using it standalone, it works as expected:
SuSEfirewall2 stop iptables -t nat -A OUTPUT -p tcp --dport 1935 -m owner ! --uid-owner root -j REDIRECT
Running rtmpsuck (2.3) behaves as expected (mostly), it catches flv streams, that you display with your browser, and stores them.. (if not, try to restart rtmpsuck.)
If this iptables command is integrated in
/etc/sysconfig/scripts/SuSEfirewall2-custom
it doesn't work anymore: rtmpsuck doesn't detect any streams.
SuSEfirewall2 non-default settings (LAN-client): FW_DEV_INT="eth0 eth1" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_PROTECT_FROM_INT="no" FW_KERNEL_SECURITY="no" FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
The yes and no settings are an attempt to fix the issue in question.
I would think, it doesn't matter, from which custom callback this command is executed, but I tried all of them without luck already. What's really strange is, SuSEfirewall2 status shows the relevant entry correctly:
### iptables nat ### Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1935 ! owner UID match 0
and yes, I call rtmpsuck as root (for testing purposes).
BTW, I got best results with rtmpsuck version 2.3. Neither Packmans git version, nor a self backed one based on current git "behaved" well. Since version 2.3 isn't easily available for openSUSE, you can fetch it here:
https://build.opensuse.org/package/show/home:frispete:tools/rtmpdump
Does somebody in the audience have an idea, why this doesn't work together with SuSEfirewall2?
Thanks in advance, Pete
Hans-Peter Jansen wrote:
I try to use an iptables command in conjunction with SuSEfirewall2 (version 3.6.295 on openSUSE 12.2, kernel-desktop-3.4.47-2.38.1.x86_64).
Using it standalone, it works as expected:
SuSEfirewall2 stop iptables -t nat -A OUTPUT -p tcp --dport 1935 -m owner ! --uid-owner root -j REDIRECT [...] If this iptables command is integrated in
/etc/sysconfig/scripts/SuSEfirewall2-custom
it doesn't work anymore: rtmpsuck doesn't detect any streams.
Your problem is probably not related to OUTPUT but to INPUT. Check "SuSEfirewall2 status" before and after running your program. Compare the packet counters. The packets in question might have been dropped so some drop rule should have increased it's counter.
SuSEfirewall2 non-default settings (LAN-client): FW_DEV_INT="eth0 eth1" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_PROTECT_FROM_INT="no" FW_KERNEL_SECURITY="no" FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
The yes and no settings are an attempt to fix the issue in question.
If eth0 and eth1 are your only interfaces a firewall config like the above one doesn't make much sense really. Just switch it off to avoid all the problems.
cu Ludwig
-
Hans-Peter Jansen -
Ludwig Nussel