Home ยป Netfilter RTP Proxy

iptrtpproxy

 

NAME

iptrtpproxy - management tool for RTP/RTCP sessions  

SYNOPSIS

iptrtpproxy -h [command]

iptrtpproxy info [other_options] [common_options]

iptrtpproxy list [switchboard] [session_range] [list_verbosity] [other_options] [common_options]

iptrtpproxy alloc [switchboard] RTP_params [other_options] [common_options]

iptrtpproxy update switchboard [session_range] [other_options] [common_options]

iptrtpproxy delete [switchboard] [session_range] [other_options] [common_options]  

DESCRIPTION

iptrtpproxy is used to set up, maintain, and inspect the RTP/RTCP sessions in netfilter RTPPROXY target. The seesions behave as proxy for RTP/RTCP packets enabling smooth streaming for clients hidden behind NAT. The range of dedicated ports at particular IP is called `gate'. Because we have two clients in RTP/RTCP we must have also two gates. Two gates are permanently connected at the `switchboard'. One or two IP addresses may be used for connected gates. Each of RTP/RTCP clients will send packets to gate's IP:port and receive packet from the same gate's IP:port as well. It's called the `session'. The switchbord is responsible for routing to opposite client.

ibtrtpproxy makes call to kernel and requires CAP_NET_ADMIN,CAP_NET_RAW capabilities, i.e. it requires to execute as root. Capabilities may be limited by a libcap utility ( sucap, execcap ).  

OPTIONS

The options that are recognized by iptrtpproxy can be divided into several different groups.  

COMMANDS

These options specify the specific action to perform. Only one of them can be specified on the command line.
info
Get uptime, total number of switchboards and sessions and global statistics.
list
List switchboards and sessions, switchboards may be filtered using switchboard parameter. Session_range may specify sessions to be listed.
alloc
Allocate new session, i.e. two couples of ports will be dedicated. At least one source address or learning timeout must be provided. Session id is returned.
update
Update specified session(s) at specified switchboard. Unless session_range specified then affects all sessions having state non-expired and non-destroyed.
delete
Destroy specified session(s). Unless switchboard specified affects all switchboards, unless session_range specified then affects all sessions.
 

SWITCHBOARD

The switchboard is identified by gate IP:port. Unless specified identification of both gates gate-a and gate-b then gate-b is equal to gate-b . If both addresses and ports are equal then lib_RTPPROXY module will try to find correct switchboard too. It simplifies life slightly.
--addr-a ip
--addr-b ip
IP address of gate
--port-a port
--port-b port
The lowest port of dedicated port range
 

SESSION RANGE

Identifies sessions to be affected by command.
--sess-id-lo id
Low session id, default value is 0.
--sess-id-hi id
Hi session id value, unless specified --sess-id-lo is taken as default value.
 

RTP PARAMS

Specify parameters of RTP/RTCP client. We can specify params of both RTP and RTCP streams separately. Default values of RTCP are based on corresponding RTP param.
--rtp-addr-a ip
--rtcp-addr-a ip
--rtp-addr-b ip
--rtcp-addr-b ip
IP address of RTP/RTCP client.
--rtp-port-a port
--rtcp-port-a port
--rtp-port-b port
--rtcp-port-b port
Port of RTP/RTCP client.
--rtp-learning-timeout-a msec
--rtp-learning-timeout-b msec
--rtcp-learning-timeout-a msec
--rtcp-learning-timeout-b msec
Time how long the session will try to learn source address of RTP/RTCP packets.
--always-learn-a
--always-learn-b
The session will try to learn always source address of RTP/RTCP packets even in the case the address:port is known. Malicious packets may silently redirect stream.
 

LIST VERBOSITY

--no-switchboard
Do not list switchboards. It also implies --no-session
--no-session
Do not list sessions.
 

OTHER OPTIONS

The following options can be specified:
--reset-global-stat
Reset global statistics
--reset-switchboard-stat
Reset switchboard statistics
--reset-packet-stat
Reset switchboard packet statistics
--force-switchboard-audit
Force switchboard audit, i.e. checking expirations and update statistics
 

COMMON OPTIONS

The following common options can be specified:
-v, --verbose
Verbose output. The most of verbose output goes to stderr.
-V
Print version.
-h, --help
If command is specified then prints help regarding the command otherwise prints list of possible commands. Note that option may be specified almost at any position of command line.
 

PREREQUISITIES

lib_RTPPROXY kernel module must be loaded and a switchboard defined using iptables tool.

Examples:

# load kernel module
  modprobe -i xt_RTPPROXY 

# define switchboard
  iptables -t mangle -N my_rtpproxy
  iptables -t mangle -A my_rtpproxy -j RTPPROXY --addr-a 1.2.3.4 --port-a 50000 --max-sess 100

# add it to a chain in PREROUTING, POSTROUTING and OUTPUT, specify matching conditions, etc.
  iptables -t mangle -A PREROUTING -p udp -j my_rtpproxy
  iptables -t mangle -A OUTPUT -p udp -j my_rtpproxy
  iptables -t mangle -A POSTROUTING -p udp -j my_rtpproxy

# run as root with limited set of capabilities
  execcap 'CAP_DAC_READ_SEARCH,CAP_NET_ADMIN,CAP_NET_RAW=eip' iptrtpproxy info

# run as non root user, it requires CAP_SETPCAP to provide a root capability to plain user
  sucap my_user my_group execcap 'CAP_DAC_READ_SEARCH,CAP_NET_ADMIN,CAP_NET_RAW=eip' iptrtpproxy info

 

DIAGNOSTICS

Various error messages are printed to standard error. The exit code is 0 for correct functioning. Errors which appear to be caused by invalid or abused command line parameters cause an exit code of 2, and other errors cause an exit code of 1.  

BUGS

Bugs? Many. ;-)  

SEE ALSO

iptables(8) capabilities(7) cap_from_text(3) The netfilter-rtpproxy-HOWTO details usage for RTP/RTCP proxy. The libcap FAQ capfaq-x.y.txt.
See
http://www.2p.cz/en/netfilter_rtp_proxy
http://www.netfilter.org/
http://www1.us.kernel.org/linux/libs/security/linux-privs/
up
» printer-friendly version | export DocBook XML | export OPML | 7157 reads