libipt_RTPPROXY
The target supports RTP/RTCP stream proxy for clients hidden behind NAT.
A switchboard must be defined, the switchboard is identified by two
gates. Each gate consist of cluster of dedicated ports. Unless
value of gate B is specified it's taken from gate A. If
addr A and B are equal then two non-overlaped port ranges are to be
defined. The target is valid for the UDP protocol only, use
-p upd option.
Iptables extensions:
--addr-a ip, --addr-b ip
Address of RTP/RTCP proxy gate A/B
--port-a port, --port-b port
Start port number of cluster at gate A/B.
--max-sess num
Max.number of sessions. Each session requires two ports for each gate.
--expires-timeout sec
When no RTP/RTCP packet won't pass through session for this timeout then
the session will be marked as expired and no more packets pass through.
--resurrection-timeout sec
When session is marked as expired or destroyed then RTPPROXY won't try to
reuse free slot at least for the resurrection timeout. It increases
probability that delayed packets of old session will mystify new session.
The RTPPROXY target is meaningful only for UDP packets, Correct specification
of matching rules improves efficiency. There must be passed UDP packets
for PREROUTING, POSTROUTING, INPUT and OUTPUT to our target. If the packet fits
a session then is processed (redirected or dropped) othewise left unchanged
(CONTINUE). Note that
mangle' table must be specified. Note that
INPUT and OUTPUT are required only if a local address at RTP/RTCP proxy may
be legal target of packet. Such scenario is not too much probable.
We can create extra chain and use it as procedure. Consider filtering criteria
(especially for FORWARD) as well.
In PREROUTING and OUTPUT phase must be changed destination address from address of the gate (A) to address
of remote RTP/RTCP client (B). POSTROUTING and INPUT must change source address from remote RTP/RTCP client (A)
to gate (B).
Example
# load kernel module
modprobe -i xt_RTPPROXY
# define switchboard
iptables -t mangle -N my_rtpproxy
iptables -t mangle -A my_rtpproxy -j RTPPROXY --addr-a 1.2.3.4 --port-a 50000 --max-sess 100 -p udp
# add it to a chain in PREROUTING, POSTROUTING, INPUT and OUTPUT, specify matching conditions, etc.
iptables -t mangle -A PREROUTING -j my_rtpproxy
iptables -t mangle -A POSTROUTING -j my_rtpproxy
iptables -t mangle -A INPUT -j my_rtpproxy
iptables -t mangle -A OUTPUT -j my_rtpproxy