From 32048f3a35dea45378a3ded25eaf61026663cbe5 Mon Sep 17 00:00:00 2001 From: Christoph Date: Wed, 1 Apr 2020 00:54:16 +0200 Subject: [PATCH] Add suport for BigBlueButton video conference service. --- conf/default_ports.conf | 5 +++++ conf/main_ipv4.conf.sample | 22 ++++++++++++++++++++++ conf/main_ipv6.conf.sample | 22 ++++++++++++++++++++++ ip6t-firewall-gateway | 29 +++++++++++++++++++++++++++++ ipt-firewall-gateway | 29 +++++++++++++++++++++++++++++ 5 files changed, 107 insertions(+) diff --git a/conf/default_ports.conf b/conf/default_ports.conf index 4238eed..2216e12 100644 --- a/conf/default_ports.conf +++ b/conf/default_ports.conf @@ -49,6 +49,11 @@ standard_ipsec_nat_t=4500 standard_http_ports="80,443" standard_mailuser_ports="587,465,110,995,143,993" +# - BigBlueButton Video Conference Service +# - +standard_bigbluebutton_tcp_ports="$standard_http_ports" +standard_bigbluebutton_udp_port_range="16384:32768" + # - Jitsi Video Conference Service # - standard_jitsi_tcp_ports="$standard_http_ports" diff --git a/conf/main_ipv4.conf.sample b/conf/main_ipv4.conf.sample index e05d03e..9bd6464 100644 --- a/conf/main_ipv4.conf.sample +++ b/conf/main_ipv4.conf.sample @@ -800,6 +800,27 @@ snmp_trap_port="$standard_snmp_trap_port" mumble_ports="64738" +# ====== +# - BigBlueButton Video Conference Service +# ====== + +# - BigBlueButton Video Conference Service Gateway +# - +# - NOT YET IMPLEMENTED +# - +local_bigbluebutton_video_conference_service=false + +# - BigBlueButton Video Conference Service Ports +# - +# - TCP 80: Webinterface. +# - TCP 443: Webinterface (SSL) +# - +# - UDP 16384-32768: FreeSWITCH/HTML5 RTP streams +# - +bigbluebutton_tcp_ports="$standard_bigbluebutton_tcp_ports" +bigbluebutton_udp_ports="$standard_bigbluebutton_udp_port_range" + + # ====== # - Jitsi Video Conference Service # ====== @@ -1297,6 +1318,7 @@ allow_mysql_request_out=true allow_ipmi_request_out=true allow_remote_console_request_out=true allow_mumble_request_out=true +allow_bigbluebutton_video_conference_out=true allow_jitsi_video_conference_out=true allow_nc_talk_out=true diff --git a/conf/main_ipv6.conf.sample b/conf/main_ipv6.conf.sample index 7a28479..1c32ab2 100644 --- a/conf/main_ipv6.conf.sample +++ b/conf/main_ipv6.conf.sample @@ -769,6 +769,27 @@ snmp_trap_port="$standard_snmp_trap_port" mumble_ports="64738" +# ====== +# - BigBlueButton Video Conference Service +# ====== + +# - BigBlueButton Video Conference Service Gateway +# - +# - NOT YET IMPLEMENTED +# - +local_bigbluebutton_video_conference_service=false + +# - BigBlueButton Video Conference Service Ports +# - +# - TCP 80: Webinterface. +# - TCP 443: Webinterface (SSL) +# - +# - UDP 16384-32768: FreeSWITCH/HTML5 RTP streams +# - +bigbluebutton_tcp_ports="$standard_bigbluebutton_tcp_ports" +bigbluebutton_udp_ports="$standard_bigbluebutton_udp_port_range" + + # ====== # - Jitsi Video Conference Service # ====== @@ -1240,6 +1261,7 @@ allow_mysql_request_out=true allow_ipmi_request_out=true allow_remote_console_request_out=true allow_mumble_request_out=true +allow_bigbluebutton_video_conference_out=true allow_jitsi_video_conference_out=true allow_nc_talk_out=true diff --git a/ip6t-firewall-gateway b/ip6t-firewall-gateway index 5fc6daa..76fc170 100755 --- a/ip6t-firewall-gateway +++ b/ip6t-firewall-gateway @@ -2858,6 +2858,35 @@ else fi +# --- +# - BigBlueButton Video Conference Service out only +# --- + +echononl "\t\tBigBlueButton Video Conference Service out only" + +if $allow_jitsi_video_conference_out ; then + for _dev in ${ext_if_arr[@]} ; do + + if [[ "$bigbluebutton_tcp_ports" != "$standard_http_ports" ]] ; then + $ip6t -A OUTPUT -o $_dev -p tcp -m multiport --dports $bigbluebutton_tcp_ports -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ip6t -A FORWARD -o $_dev -p tcp -m multiport --dports $bigbluebutton_tcp_ports -m conntrack --ctstate NEW -j ACCEPT + fi + fi + + $ip6t -A OUTPUT -o $_dev -p udp -m multiport --dports $bigbluebutton_udp_ports -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then + $ip6t -A FORWARD -o $_dev -p udp -m multiport --dports $bigbluebutton_udp_ports -m conntrack --ctstate NEW -j ACCEPT + fi + + done + echo_done +else + echo_skipped +fi + + # --- # - Jitsi Video Conference Service out only # --- diff --git a/ipt-firewall-gateway b/ipt-firewall-gateway index ecb0695..6128e8f 100755 --- a/ipt-firewall-gateway +++ b/ipt-firewall-gateway @@ -3568,6 +3568,35 @@ else fi +# --- +# - BigBlueButton Video Conference Service out only +# --- + +echononl "\t\tBigBlueButton Video Conference Service out only" + +if $allow_bigbluebutton_video_conference_out ; then + for _dev in ${ext_if_arr[@]} ; do + + if [[ "$bigbluebutton_tcp_ports" != "$standard_http_ports" ]] ; then + $ipt -A OUTPUT -o $_dev -p tcp -m multiport --dports $bigbluebutton_tcp_ports -m conntrack --ctstate NEW -j ACCEPT + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p tcp -m multiport --dports $bigbluebutton_tcp_ports -m conntrack --ctstate NEW -j ACCEPT + fi + fi + + $ipt -A OUTPUT -o $_dev -p udp -m multiport --dports $bigbluebutton_udp_ports -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then + $ipt -A FORWARD -o $_dev -p udp -m multiport --dports $bigbluebutton_udp_ports -m conntrack --ctstate NEW -j ACCEPT + fi + + done + echo_done +else + echo_skipped +fi + + # --- # - Jitsi Video Conference Service out only # ---