diff --git a/conf/default_ports.conf b/conf/default_ports.conf index b6633e6..6a6b475 100644 --- a/conf/default_ports.conf +++ b/conf/default_ports.conf @@ -143,9 +143,15 @@ standard_unifi_udp_ctrl_out_ports="443,3478" # - outbound port 1936/TCP : outbound streaming over RTMP to LinkedIn # Live (port 1935 is also used for RTMP streaming to LinkedIn) # +# - outbound port 6667/TCP : Twitch Live Chat +# +# - outbound port 10349 : outbound streaming vMix +# # - outbound ports 2935/TCP and 2396/TCP : outbound streaming over # RTMPS to LinkedIn Live # +# outbound ports 19302:19309 TCP : Google Hangout / Google Meet TCP streaming. +# # - outbound port 443/TCP (HTTPS) : used for authentication with the # built-in providers such as YouTube Live, Facebook Live, Ustream, # Livestream, and Twitch @@ -153,14 +159,21 @@ standard_unifi_udp_ctrl_out_ports="443,3478" # - outbound port 53/UDP (DNS) used for DNS lookups converting # hostnames to IP addresses # -standard_outbound_streaming_tcp_ports="1935,1936,2935,2396" +# - outbound ports 3478/TCP 19305:19307/TCP WebRTC for browserbased Encoding +# (also used by Google Meet TCP streaming) +# +standard_outbound_streaming_tcp_ports="1935,1936,2935,2396,3478,6667,10349,19302:19309" # Outbound Streaming Ports UDP # # - outbound port 2088 UDP broadcasting from Mevo or the Livestream mobile app (iOS and Android). # -standard_outbound_streaming_udp_ports="2088" +# - outbound port 10349 : outbound streaming vMix +# +# - outbound ports 19302:19309 UDP : Google Hangout / Google Meet UDP streaming. +# +standard_outbound_streaming_udp_ports="2088,10349,19302:19309" # Echo360 Video Plattform @@ -219,7 +232,23 @@ standard_jitsi_udp_port_range="10000:20000" # - TURN Server (Stun Server) (for Nextcloud 'talk' app) # - -standard_turn_service_ports="3478:3479,5349:5350" +# - UDP/TCP 3478,5349 TURN listener port for UDP and TCP listeners (Default: 3478) +# - TURN listener port for TLS and DTLS listeners (Default: 5349) +# - +# - UDP 49152:65535 For establishing p2p connection (i.e. Nextcloud 'talk' app): +# - +# - Each client will send the data through UDP to the other endpoint: +# - if it's sending to a TURN server (to a relay candidate) it will send +# - to a port between 49152-65535 (if it's sending directly to the other +# - party it will send to any port in the 0-65535 range) +# - +# - --min-port Lower bound of the UDP port range for relay endpoints +# - allocation. Default value is 49152, according to RFC 5766. +# - +# - --max-port Upper bound of the UDP port range for relay endpoints +# - allocation. Default value is 65535, according to RFC 5766. +# - +standard_turn_service_ports="3478,5349" standard_turn_service_udp_ports="49152:65535" # - alfaview - Video Conferencing Systems @@ -230,6 +259,15 @@ standard_turn_service_udp_ports="49152:65535" standard_alfaview_service_tcp_ports="5380:5390" standard_alfaview_service_udp_ports="5380:5390" +# - Nextcloud talk App +# - +# - TCP/UDP 3478,3479,5349,5350 +# - +# - UDP 49152:65535 +# - +standard_nc_turn_ports="3478,3479,5349,5350" +standard_nc_turn_udp_ports="49152:65535" + # ------------- # --- Predefined Ports diff --git a/conf/main_ipv4.conf.sample b/conf/main_ipv4.conf.sample index c010055..40e4ac6 100644 --- a/conf/main_ipv4.conf.sample +++ b/conf/main_ipv4.conf.sample @@ -980,8 +980,8 @@ local_nc_turn_service="" # - # - comma separated list # - -nc_turn_ports="$standard_turn_service_ports" -nc_turn_udp_ports="$standard_turn_service_udp_ports" +nc_turn_ports="$standard_nc_turn_ports" +nc_turn_udp_ports="$standard_nc_turn_udp_ports" # ====== diff --git a/conf/main_ipv6.conf.sample b/conf/main_ipv6.conf.sample index 3cf3585..d8afa5b 100644 --- a/conf/main_ipv6.conf.sample +++ b/conf/main_ipv6.conf.sample @@ -956,8 +956,8 @@ local_nc_turn_service="" # - # - comma separated list # - -nc_turn_ports="$standard_turn_service_ports" -nc_turn_udp_ports="$standard_turn_service_udp_ports" +nc_turn_ports="$standard_nc_turn_ports" +nc_turn_udp_ports="$standard_nc_turn_udp_ports" # ====== diff --git a/conf/post_decalrations.conf b/conf/post_decalrations.conf index d365661..89a1f16 100644 --- a/conf/post_decalrations.conf +++ b/conf/post_decalrations.conf @@ -578,6 +578,23 @@ for _port in $ldap_tcp_ports ; do ldap_tcp_port_arr+=("$_port") done +# --- +# - Turn/Stun Ports +# --- +declare -a standard_turn_service_port_arr +CUR_IFS="$IFS" +IFS=',' ; for _port in $standard_turn_service_ports ; do + standard_turn_service_port_arr+=("$_port") +done +IFS="$CUR_IFS" + +declare -a standard_turn_service_udp_port_arr +CUR_IFS="$IFS" +IFS=',' ; for _port in $standard_turn_service_udp_ports ; do + standard_turn_service_udp_port_arr+=("$_port") +done +IFS="$CUR_IFS" + # --- # - BigBlueButton Video Conference - adjust 'bigbluebutton_tcp_ports' @@ -623,6 +640,48 @@ done IFS="$CUR_IFS" +# --- +# - Nextcloud 'talk' app +# --- +declare -a nc_turn_port_arr +CUR_IFS="$IFS" +_tmp_ports="$nc_turn_ports" +nc_turn_ports="" +declare -i count=0 +IFS=',' ; for _port in $_tmp_ports ; do + if containsElement "${_port}" "${standard_turn_service_port_arr[@]}" ; then + continue + fi + if [[ $count -eq 0 ]]; then + nc_turn_ports="$_port" + else + nc_turn_ports="${nc_turn_ports},${_port}" + fi + ((count++)) +done +IFS="$CUR_IFS" + +declare -a nc_turn_udp_port_arr +CUR_IFS="$IFS" +_tmp_udp_ports="$nc_turn_udp_ports" +nc_turn_udp_ports="" +declare -i count=0 +IFS=',' ; for _port in $_tmp_udp_ports ; do + if containsElement "${_port}" "${standard_turn_service_udp_port_arr[@]}" ; then + continue + fi + if [[ $count -eq 0 ]]; then + nc_turn_udp_ports="$_port" + else + nc_turn_udp_ports="${nc_turn_udp_ports},${_port}" + fi + ((count++)) +done +IFS="$CUR_IFS" + + + + # --- # - IPMI # --- diff --git a/ip6t-firewall-gateway b/ip6t-firewall-gateway index 31126ac..b3454ad 100755 --- a/ip6t-firewall-gateway +++ b/ip6t-firewall-gateway @@ -2985,6 +2985,95 @@ else fi +# --- +# - Outbound Streaming +# --- + +echononl "\t\tOutbound Streaming (most providers)" + +if $allow_outbound_streaming ; then + + for _dev in ${ext_if_arr[@]} ; do + + $ip6t -A OUTPUT -o $_dev -p tcp -m multiport --dports $standard_outbound_streaming_tcp_ports -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p udp -m multiport --dports $standard_outbound_streaming_udp_ports -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then + + $ip6t -A FORWARD -o $_dev -p tcp -m multiport --dports $standard_outbound_streaming_tcp_ports -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p udp -m multiport --dports $standard_outbound_streaming_udp_ports -m conntrack --ctstate NEW -j ACCEPT + + fi + + done + echo_done +else + echo_skipped +fi +# --- +# - Turn/Stun Service +# --- + +echononl "\t\tTurn/Stun Service" + +if $allow_outbound_streaming \ + || $allow_echo360_video_streaming \ + || $allow_bigbluebutton_video_conference_out \ + || $allow_webex_video_conference_out \ + || $allow_zoom_video_conference_out \ + || $allow_jitsi_video_conference_out \ + || $allow_alfaview_video_conference_out \ + || $allow_nc_talk_out ; then + + for _dev in ${ext_if_arr[@]} ; do + for _port in ${standard_turn_service_port_arr[@]} ; do + + $ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + + done + for _port in ${standard_turn_service_udp_port_arr[@]} ; do + + $ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then + $ip6t -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + done + echo_done +else + echo_skipped +fi + + +# --- +# - Echo360 Video Plattform +# --- + +echononl "\t\tEcho360 Video Plattform out only" + +if $allow_echo360_video_streaming ; then + + for _dev in ${ext_if_arr[@]} ; do + + $ip6t -A OUTPUT -o $_dev -p udp -m multiport --dports $standard_echo360_udp_ports -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then + $ip6t -A FORWARD -o $_dev -p udp -m multiport --dports $standard_echo360_udp_ports -m conntrack --ctstate NEW -j ACCEPT + fi + done + echo_done +else + echo_skipped +fi + + # --- # - BigBlueButton Video Conference Service out only # --- @@ -3151,21 +3240,28 @@ fi # --- -# - TURN Server (Stun Server) (for Nextcloud 'talk' app) +# - Nextcloud 'talk' App # --- -echononl "\t\tTURN Server (Stun Server) (for Nextcloud 'talk' app)out only" +echononl "\t\tNextcloud 'talk' App" if $allow_nc_talk_out ; then for _dev in ${ext_if_arr[@]} ; do - $ip6t -A OUTPUT -o $_dev -p tcp -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT - $ip6t -A OUTPUT -o $_dev -p udp -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT - $ip6t -A OUTPUT -o $_dev -p udp -m multiport --dports $nc_turn_udp_ports -m conntrack --ctstate NEW -j ACCEPT - + if [[ -n "$nc_turn_ports" ]] ; then + $ip6t -A OUTPUT -o $_dev -p tcp -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A OUTPUT -o $_dev -p udp -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT + fi + if [[ -n "$nc_turn_udp_ports" ]] ; then + $ip6t -A OUTPUT -o $_dev -p udp -m multiport --dports $nc_turn_udp_ports -m conntrack --ctstate NEW -j ACCEPT + fi if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then - $ip6t -A FORWARD -o $_dev -p tcp -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT - $ip6t -A FORWARD -o $_dev -p udp -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT - $ip6t -A FORWARD -o $_dev -p udp -m multiport --dports $nc_turn_udp_ports -m conntrack --ctstate NEW -j ACCEPT + if [[ -n "$nc_turn_ports" ]] ; then + $ip6t -A FORWARD -o $_dev -p tcp -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT + $ip6t -A FORWARD -o $_dev -p udp -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT + fi + if [[ -n "$nc_turn_udp_ports" ]] ; then + $ip6t -A FORWARD -o $_dev -p udp -m multiport --dports $nc_turn_udp_ports -m conntrack --ctstate NEW -j ACCEPT + fi fi done diff --git a/ipt-firewall-gateway b/ipt-firewall-gateway index 2bf8be5..be04350 100755 --- a/ipt-firewall-gateway +++ b/ipt-firewall-gateway @@ -3731,6 +3731,97 @@ else fi +# --- +# - Outbound Streaming +# --- + +echononl "\t\tOutbound Streaming (most providers)" + +if $allow_outbound_streaming ; then + + for _dev in ${ext_if_arr[@]} ; do + + $ipt -A OUTPUT -o $_dev -p tcp -m multiport --dports $standard_outbound_streaming_tcp_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p udp -m multiport --dports $standard_outbound_streaming_udp_ports -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + + $ipt -A FORWARD -o $_dev -p tcp -m multiport --dports $standard_outbound_streaming_tcp_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p udp -m multiport --dports $standard_outbound_streaming_udp_ports -m conntrack --ctstate NEW -j ACCEPT + + fi + + done + echo_done +else + echo_skipped +fi + + +# --- +# - Turn/Stun Service +# --- + +echononl "\t\tTurn/Stun Service" + +if $allow_outbound_streaming \ + || $allow_echo360_video_streaming \ + || $allow_bigbluebutton_video_conference_out \ + || $allow_webex_video_conference_out \ + || $allow_zoom_video_conference_out \ + || $allow_jitsi_video_conference_out \ + || $allow_alfaview_video_conference_out \ + || $allow_nc_talk_out ; then + + for _dev in ${ext_if_arr[@]} ; do + for _port in ${standard_turn_service_port_arr[@]} ; do + + $ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + + done + for _port in ${standard_turn_service_udp_port_arr[@]} ; do + + $ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + done + echo_done +else + echo_skipped +fi + + +# --- +# - Echo360 Video Plattform +# --- + +echononl "\t\tEcho360 Video Plattform out only" + +if $allow_echo360_video_streaming ; then + + for _dev in ${ext_if_arr[@]} ; do + + $ipt -A OUTPUT -o $_dev -p udp -m multiport --dports $standard_echo360_udp_ports -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p udp -m multiport --dports $standard_echo360_udp_ports -m conntrack --ctstate NEW -j ACCEPT + fi + done + echo_done +else + echo_skipped +fi + + # --- # - BigBlueButton Video Conference Service out only # --- @@ -3894,21 +3985,29 @@ fi # --- -# - TURN Server (Stun Server) (for Nextcloud 'talk' app) +# - Nextcloud 'talk' App # --- -echononl "\t\tTURN Server (Stun Server) (for Nextcloud 'talk' app)out only" +echononl "\t\tNextcloud 'talk' App" if $allow_nc_talk_out ; then for _dev in ${ext_if_arr[@]} ; do - $ipt -A OUTPUT -o $_dev -p tcp -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT - $ipt -A OUTPUT -o $_dev -p udp -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT - $ipt -A OUTPUT -o $_dev -p udp -m multiport --dports $nc_turn_udp_ports -m conntrack --ctstate NEW -j ACCEPT + if [[ -n "$nc_turn_ports" ]] ; then + $ipt -A OUTPUT -o $_dev -p tcp -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A OUTPUT -o $_dev -p udp -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT + fi + if [[ -n "$nc_turn_udp_ports" ]] ; then + $ipt -A OUTPUT -o $_dev -p udp -m multiport --dports $nc_turn_udp_ports -m conntrack --ctstate NEW -j ACCEPT + fi if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then - $ipt -A FORWARD -o $_dev -p tcp -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT - $ipt -A FORWARD -o $_dev -p udp -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT - $ipt -A FORWARD -o $_dev -p udp -m multiport --dports $nc_turn_udp_ports -m conntrack --ctstate NEW -j ACCEPT + if [[ -n "$nc_turn_ports" ]] ; then + $ipt -A FORWARD -o $_dev -p tcp -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT + $ipt -A FORWARD -o $_dev -p udp -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT + fi + if [[ -n "$nc_turn_udp_ports" ]] ; then + $ipt -A FORWARD -o $_dev -p udp -m multiport --dports $nc_turn_udp_ports -m conntrack --ctstate NEW -j ACCEPT + fi fi done