firewall/ipt-gateway
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Adjust Video and Streaming services.

Browse Source
This commit is contained in:
Christoph 2021-07-01 01:38:23 +02:00
parent c097136b33
commit 1d2d6a6fae
6 changed files with 316 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
conf/default_ports.conf
View File

@ -143,9 +143,15 @@ standard_unifi_udp_ctrl_out_ports="443,3478"
# - outbound port 1936/TCP : outbound streaming over RTMP to LinkedIn # - outbound port 1936/TCP : outbound streaming over RTMP to LinkedIn
# Live (port 1935 is also used for RTMP streaming to LinkedIn) # Live (port 1935 is also used for RTMP streaming to LinkedIn)
# #
# - outbound port 6667/TCP : Twitch Live Chat
#
# - outbound port 10349 : outbound streaming vMix
#
# - outbound ports 2935/TCP and 2396/TCP : outbound streaming over # - outbound ports 2935/TCP and 2396/TCP : outbound streaming over
# RTMPS to LinkedIn Live # RTMPS to LinkedIn Live
# #
# outbound ports 19302:19309 TCP : Google Hangout / Google Meet TCP streaming.
#
# - outbound port 443/TCP (HTTPS) : used for authentication with the # - outbound port 443/TCP (HTTPS) : used for authentication with the
# built-in providers such as YouTube Live, Facebook Live, Ustream, # built-in providers such as YouTube Live, Facebook Live, Ustream,
# Livestream, and Twitch # Livestream, and Twitch
@ -153,14 +159,21 @@ standard_unifi_udp_ctrl_out_ports="443,3478"
# - outbound port 53/UDP (DNS) used for DNS lookups converting # - outbound port 53/UDP (DNS) used for DNS lookups converting
# hostnames to IP addresses # hostnames to IP addresses
# #
standard_outbound_streaming_tcp_ports="1935,1936,2935,2396" # - outbound ports 3478/TCP 19305:19307/TCP WebRTC for browserbased Encoding
# (also used by Google Meet TCP streaming)
#
standard_outbound_streaming_tcp_ports="1935,1936,2935,2396,3478,6667,10349,19302:19309"
# Outbound Streaming Ports UDP # Outbound Streaming Ports UDP
# #
# - outbound port 2088 UDP broadcasting from Mevo or the Livestream mobile app (iOS and Android). # - outbound port 2088 UDP broadcasting from Mevo or the Livestream mobile app (iOS and Android).
# #
standard_outbound_streaming_udp_ports="2088" # - outbound port 10349 : outbound streaming vMix
#
# - outbound ports 19302:19309 UDP : Google Hangout / Google Meet UDP streaming.
#
standard_outbound_streaming_udp_ports="2088,10349,19302:19309"
# Echo360 Video Plattform # Echo360 Video Plattform
@ -219,7 +232,23 @@ standard_jitsi_udp_port_range="10000:20000"
# - TURN Server (Stun Server) (for Nextcloud 'talk' app) # - TURN Server (Stun Server) (for Nextcloud 'talk' app)
# - # -
standard_turn_service_ports="3478:3479,5349:5350" # - UDP/TCP 3478,5349 TURN listener port for UDP and TCP listeners (Default: 3478)
# - TURN listener port for TLS and DTLS listeners (Default: 5349)
# -
# - UDP 49152:65535 For establishing p2p connection (i.e. Nextcloud 'talk' app):
# -
# - Each client will send the data through UDP to the other endpoint:
# - if it's sending to a TURN server (to a relay candidate) it will send
# - to a port between 49152-65535 (if it's sending directly to the other
# - party it will send to any port in the 0-65535 range)
# -
# - --min-port Lower bound of the UDP port range for relay endpoints
# - allocation. Default value is 49152, according to RFC 5766.
# -
# - --max-port Upper bound of the UDP port range for relay endpoints
# - allocation. Default value is 65535, according to RFC 5766.
# -
standard_turn_service_ports="3478,5349"
standard_turn_service_udp_ports="49152:65535" standard_turn_service_udp_ports="49152:65535"
# - alfaview - Video Conferencing Systems # - alfaview - Video Conferencing Systems
@ -230,6 +259,15 @@ standard_turn_service_udp_ports="49152:65535"
standard_alfaview_service_tcp_ports="5380:5390" standard_alfaview_service_tcp_ports="5380:5390"
standard_alfaview_service_udp_ports="5380:5390" standard_alfaview_service_udp_ports="5380:5390"
# - Nextcloud talk App
# -
# - TCP/UDP 3478,3479,5349,5350
# -
# - UDP 49152:65535
# -
standard_nc_turn_ports="3478,3479,5349,5350"
standard_nc_turn_udp_ports="49152:65535"
# ------------- # -------------
# --- Predefined Ports # --- Predefined Ports

4
conf/main_ipv4.conf.sample
View File

@ -980,8 +980,8 @@ local_nc_turn_service=""
# - # -
# - comma separated list # - comma separated list
# - # -
nc_turn_ports="$standard_turn_service_ports" nc_turn_ports="$standard_nc_turn_ports"
nc_turn_udp_ports="$standard_turn_service_udp_ports" nc_turn_udp_ports="$standard_nc_turn_udp_ports"
# ====== # ======

4
conf/main_ipv6.conf.sample
View File

@ -956,8 +956,8 @@ local_nc_turn_service=""
# - # -
# - comma separated list # - comma separated list
# - # -
nc_turn_ports="$standard_turn_service_ports" nc_turn_ports="$standard_nc_turn_ports"
nc_turn_udp_ports="$standard_turn_service_udp_ports" nc_turn_udp_ports="$standard_nc_turn_udp_ports"
# ====== # ======

59
conf/post_decalrations.conf
View File

@ -578,6 +578,23 @@ for _port in $ldap_tcp_ports ; do
ldap_tcp_port_arr+=("$_port") ldap_tcp_port_arr+=("$_port")
done done
# ---
# - Turn/Stun Ports
# ---
declare -a standard_turn_service_port_arr
CUR_IFS="$IFS"
IFS=',' ; for _port in $standard_turn_service_ports ; do
standard_turn_service_port_arr+=("$_port")
done
IFS="$CUR_IFS"
declare -a standard_turn_service_udp_port_arr
CUR_IFS="$IFS"
IFS=',' ; for _port in $standard_turn_service_udp_ports ; do
standard_turn_service_udp_port_arr+=("$_port")
done
IFS="$CUR_IFS"
# --- # ---
# - BigBlueButton Video Conference - adjust 'bigbluebutton_tcp_ports' # - BigBlueButton Video Conference - adjust 'bigbluebutton_tcp_ports'
@ -623,6 +640,48 @@ done
IFS="$CUR_IFS" IFS="$CUR_IFS"
# ---
# - Nextcloud 'talk' app
# ---
declare -a nc_turn_port_arr
CUR_IFS="$IFS"
_tmp_ports="$nc_turn_ports"
nc_turn_ports=""
declare -i count=0
IFS=',' ; for _port in $_tmp_ports ; do
if containsElement "${_port}" "${standard_turn_service_port_arr[@]}" ; then
continue
fi
if [[ $count -eq 0 ]]; then
nc_turn_ports="$_port"
else
nc_turn_ports="${nc_turn_ports},${_port}"
fi
((count++))
done
IFS="$CUR_IFS"
declare -a nc_turn_udp_port_arr
CUR_IFS="$IFS"
_tmp_udp_ports="$nc_turn_udp_ports"
nc_turn_udp_ports=""
declare -i count=0
IFS=',' ; for _port in $_tmp_udp_ports ; do
if containsElement "${_port}" "${standard_turn_service_udp_port_arr[@]}" ; then
continue
fi
if [[ $count -eq 0 ]]; then
nc_turn_udp_ports="$_port"
else
nc_turn_udp_ports="${nc_turn_udp_ports},${_port}"
fi
((count++))
done
IFS="$CUR_IFS"
# --- # ---
# - IPMI # - IPMI
# --- # ---

114
ip6t-firewall-gateway
View File

@ -2985,6 +2985,95 @@ else
fi fi
# ---
# - Outbound Streaming
# ---
echononl "\t\tOutbound Streaming (most providers)"
if $allow_outbound_streaming ; then
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp -m multiport --dports $standard_outbound_streaming_tcp_ports -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A OUTPUT -o $_dev -p udp -m multiport --dports $standard_outbound_streaming_udp_ports -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -o $_dev -p tcp -m multiport --dports $standard_outbound_streaming_tcp_ports -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p udp -m multiport --dports $standard_outbound_streaming_udp_ports -m conntrack --ctstate NEW -j ACCEPT
fi
done
echo_done
else
echo_skipped
fi
# ---
# - Turn/Stun Service
# ---
echononl "\t\tTurn/Stun Service"
if $allow_outbound_streaming \
|| $allow_echo360_video_streaming \
|| $allow_bigbluebutton_video_conference_out \
|| $allow_webex_video_conference_out \
|| $allow_zoom_video_conference_out \
|| $allow_jitsi_video_conference_out \
|| $allow_alfaview_video_conference_out \
|| $allow_nc_talk_out ; then
for _dev in ${ext_if_arr[@]} ; do
for _port in ${standard_turn_service_port_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
for _port in ${standard_turn_service_udp_port_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
done
echo_done
else
echo_skipped
fi
# ---
# - Echo360 Video Plattform
# ---
echononl "\t\tEcho360 Video Plattform out only"
if $allow_echo360_video_streaming ; then
for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p udp -m multiport --dports $standard_echo360_udp_ports -m conntrack --ctstate NEW -j ACCEPT
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -o $_dev -p udp -m multiport --dports $standard_echo360_udp_ports -m conntrack --ctstate NEW -j ACCEPT
fi
done
echo_done
else
echo_skipped
fi
# --- # ---
# - BigBlueButton Video Conference Service out only # - BigBlueButton Video Conference Service out only
# --- # ---
@ -3151,21 +3240,28 @@ fi
# --- # ---
# - TURN Server (Stun Server) (for Nextcloud 'talk' app) # - Nextcloud 'talk' App
# --- # ---
echononl "\t\tTURN Server (Stun Server) (for Nextcloud 'talk' app)out only" echononl "\t\tNextcloud 'talk' App"
if $allow_nc_talk_out ; then if $allow_nc_talk_out ; then
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
$ip6t -A OUTPUT -o $_dev -p tcp -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT if [[ -n "$nc_turn_ports" ]] ; then
$ip6t -A OUTPUT -o $_dev -p udp -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT $ip6t -A OUTPUT -o $_dev -p tcp -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A OUTPUT -o $_dev -p udp -m multiport --dports $nc_turn_udp_ports -m conntrack --ctstate NEW -j ACCEPT $ip6t -A OUTPUT -o $_dev -p udp -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT
fi
if [[ -n "$nc_turn_udp_ports" ]] ; then
$ip6t -A OUTPUT -o $_dev -p udp -m multiport --dports $nc_turn_udp_ports -m conntrack --ctstate NEW -j ACCEPT
fi
if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
$ip6t -A FORWARD -o $_dev -p tcp -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT if [[ -n "$nc_turn_ports" ]] ; then
$ip6t -A FORWARD -o $_dev -p udp -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT $ip6t -A FORWARD -o $_dev -p tcp -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT
$ip6t -A FORWARD -o $_dev -p udp -m multiport --dports $nc_turn_udp_ports -m conntrack --ctstate NEW -j ACCEPT $ip6t -A FORWARD -o $_dev -p udp -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT
fi
if [[ -n "$nc_turn_udp_ports" ]] ; then
$ip6t -A FORWARD -o $_dev -p udp -m multiport --dports $nc_turn_udp_ports -m conntrack --ctstate NEW -j ACCEPT
fi
fi fi
done done

115
ipt-firewall-gateway
View File

@ -3731,6 +3731,97 @@ else
fi fi
# ---
# - Outbound Streaming
# ---
echononl "\t\tOutbound Streaming (most providers)"
if $allow_outbound_streaming ; then
for _dev in ${ext_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp -m multiport --dports $standard_outbound_streaming_tcp_ports -m conntrack --ctstate NEW -j ACCEPT
$ipt -A OUTPUT -o $_dev -p udp -m multiport --dports $standard_outbound_streaming_udp_ports -m conntrack --ctstate NEW -j ACCEPT
if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then
$ipt -A FORWARD -o $_dev -p tcp -m multiport --dports $standard_outbound_streaming_tcp_ports -m conntrack --ctstate NEW -j ACCEPT
$ipt -A FORWARD -o $_dev -p udp -m multiport --dports $standard_outbound_streaming_udp_ports -m conntrack --ctstate NEW -j ACCEPT
fi
done
echo_done
else
echo_skipped
fi
# ---
# - Turn/Stun Service
# ---
echononl "\t\tTurn/Stun Service"
if $allow_outbound_streaming \
|| $allow_echo360_video_streaming \
|| $allow_bigbluebutton_video_conference_out \
|| $allow_webex_video_conference_out \
|| $allow_zoom_video_conference_out \
|| $allow_jitsi_video_conference_out \
|| $allow_alfaview_video_conference_out \
|| $allow_nc_talk_out ; then
for _dev in ${ext_if_arr[@]} ; do
for _port in ${standard_turn_service_port_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
$ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then
$ipt -A FORWARD -o $_dev -p tcp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
$ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
for _port in ${standard_turn_service_udp_port_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then
$ipt -A FORWARD -o $_dev -p udp --dport $_port -m conntrack --ctstate NEW -j ACCEPT
fi
done
done
echo_done
else
echo_skipped
fi
# ---
# - Echo360 Video Plattform
# ---
echononl "\t\tEcho360 Video Plattform out only"
if $allow_echo360_video_streaming ; then
for _dev in ${ext_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p udp -m multiport --dports $standard_echo360_udp_ports -m conntrack --ctstate NEW -j ACCEPT
if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then
$ipt -A FORWARD -o $_dev -p udp -m multiport --dports $standard_echo360_udp_ports -m conntrack --ctstate NEW -j ACCEPT
fi
done
echo_done
else
echo_skipped
fi
# --- # ---
# - BigBlueButton Video Conference Service out only # - BigBlueButton Video Conference Service out only
# --- # ---
@ -3894,21 +3985,29 @@ fi
# --- # ---
# - TURN Server (Stun Server) (for Nextcloud 'talk' app) # - Nextcloud 'talk' App
# --- # ---
echononl "\t\tTURN Server (Stun Server) (for Nextcloud 'talk' app)out only" echononl "\t\tNextcloud 'talk' App"
if $allow_nc_talk_out ; then if $allow_nc_talk_out ; then
for _dev in ${ext_if_arr[@]} ; do for _dev in ${ext_if_arr[@]} ; do
$ipt -A OUTPUT -o $_dev -p tcp -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT if [[ -n "$nc_turn_ports" ]] ; then
$ipt -A OUTPUT -o $_dev -p udp -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A OUTPUT -o $_dev -p tcp -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT
$ipt -A OUTPUT -o $_dev -p udp -m multiport --dports $nc_turn_udp_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A OUTPUT -o $_dev -p udp -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT
fi
if [[ -n "$nc_turn_udp_ports" ]] ; then
$ipt -A OUTPUT -o $_dev -p udp -m multiport --dports $nc_turn_udp_ports -m conntrack --ctstate NEW -j ACCEPT
fi
if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then
$ipt -A FORWARD -o $_dev -p tcp -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT if [[ -n "$nc_turn_ports" ]] ; then
$ipt -A FORWARD -o $_dev -p udp -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -o $_dev -p tcp -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT
$ipt -A FORWARD -o $_dev -p udp -m multiport --dports $nc_turn_udp_ports -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -o $_dev -p udp -m multiport --dports $nc_turn_ports -m conntrack --ctstate NEW -j ACCEPT
fi
if [[ -n "$nc_turn_udp_ports" ]] ; then
$ipt -A FORWARD -o $_dev -p udp -m multiport --dports $nc_turn_udp_ports -m conntrack --ctstate NEW -j ACCEPT
fi
fi fi
done done