The target supports RTP/RTCP stream proxy for clients hidden behind NAT. A switchboard must be defined, the switchboard is identified by two gates. Each gate consist of cluster of dedicated ports. Unless value of gate B is specified it's taken from gate A. If addr A and B are equal then two non-overlaped port ranges are to be defined. The target is valid for the UDP protocol only, use -p upd option.

Iptables extensions:

--addr-a ip, --addr-b ip

Address of RTP/RTCP proxy gate A/B

--port-a port, --port-b port

Start port number of cluster at gate A/B.

--max-sess num

Max.number of sessions. Each session requires two ports for each gate.

--expires-timeout sec

When no RTP/RTCP packet won't pass through session for this timeout then the session will be marked as expired and no more packets pass through.

--resurrection-timeout sec

When session is marked as expired or destroyed then RTPPROXY won't try to reuse free slot at least for the resurrection timeout. It increases probability that delayed packets of old session will mystify new session.

The RTPPROXY target is meaningful only for UDP packets, Correct specification of matching rules improves efficiency. There must be passed UDP packets for PREROUTING, POSTROUTING, INPUT and OUTPUT to our target. If the packet fits a session then is processed (redirected or dropped) othewise left unchanged (CONTINUE). Note that mangle' table must be specified. Note that INPUT and OUTPUT are required only if a local address at RTP/RTCP proxy may be legal target of packet. Such scenario is not too much probable. We can create extra chain and use it as procedure. Consider filtering criteria (especially for FORWARD) as well.

In PREROUTING and OUTPUT phase must be changed destination address from address of the gate (A) to address of remote RTP/RTCP client (B). POSTROUTING and INPUT must change source address from remote RTP/RTCP client (A) to gate (B).


# load kernel module
  modprobe -i xt_RTPPROXY

# define switchboard iptables -t mangle -N my_rtpproxy iptables -t mangle -A my_rtpproxy -j RTPPROXY --addr-a --port-a 50000 --max-sess 100 -p udp

# add it to a chain in PREROUTING, POSTROUTING, INPUT and OUTPUT, specify matching conditions, etc. iptables -t mangle -A PREROUTING -j my_rtpproxy iptables -t mangle -A POSTROUTING -j my_rtpproxy iptables -t mangle -A INPUT -j my_rtpproxy iptables -t mangle -A OUTPUT -j my_rtpproxy