Reply
New Member
Posts: 28
Registered: ‎06-20-2014
Kudos: 8
Solutions: 2
Accepted Solution

Firewall and IGMP-Proxy

Hello,

I'm attempting to make my ERL friendly toward my ISP IPTV services. They provide a TV Decoder, plugged into the Home gateway LAN and an insane amount of specific negociation happens...

They use multicast for broadcasted channels and IGMP-Proxy is helping here. With no firewall, it's fine.

But I'm struggling to have my Firewall up and running, with basic protection *and* specifics when it comes to my ISP multicast streams...

Luckily, we have the iptables used in ISP's Home gateway. Sadly, I'm not skilled enough to "translate" there rules into CLI compliant commands for WAN_IN/WAN_LOCAL rules. Would you mind to help on this?

Iptables:

Chain INPUT (policy DROP)
target     prot opt source       destination
ACCEPT     all  --  anywhere     base-address.mcast.net/4
ACCEPT     all  --  anywhere     anywhere  state RELATED, ESTABLISHED
ACCEPT     all  --  anywhere     anywhere
ACLS_FILTER  tcp  --  anywhere   anywhere  dports 1287,1288 state NEW
ACCEPT     udp  --  anywhere     anywhere  udp dpt:bootpc state NEW
ICMP_FILTER  icmp --  anywhere   anywhere
LAN_FILTER  all  --  anywhere    anywhere  state NEW
ACCEPT     igmp --  anywhere     anywhere
SIP_FILTER  all  --  anywhere    anywhere  state NEW

 and

Chain FORWARD (policy ACCEPT)
target     prot opt source       destination
ACCEPT     all  --  anywhere     base-address.mcast.net/4
ACCEPT     all  --  anywhere     anywhere   state RELATED,ESTABLISHED
WIN_FILTER  all  --  anywhere    anywhere   state NEW
WIN_FILTER  all  --  anywhere    anywhere   state NEW
SMTP_FILTER  tcp  --  anywhere   anywhere   tcp dpt:smtp

 

Thanks!


Accepted Solutions
New Member
Posts: 28
Registered: ‎06-20-2014
Kudos: 8
Solutions: 2

Re: Firewall and IGMP-Proxy

Solved.

I did the following (and it works!)...

Please, suggestions for improvement are more than welcome!

 firewall {
     all-ping enable
     broadcast-ping disable
     ipv6-receive-redirects disable
     ipv6-src-route disable
     ip-src-route disable
     log-martians enable
     name WAN_IN {
         default-action drop
         description "WAN to LAN"
         enable-default-log
         rule 5 {
             action accept
             description "Allow Multicast"
             destination {
                 address 224.0.0.0/4
             }
             log disable
         }
         rule 10 {
             action accept
             description "Allow established/related"
             log disable
             state {
                 established enable
                 invalid disable
                 new disable
                 related enable
             }
         }
         rule 15 {
             action accept
             description "Allow TCP ports 1287, 1288"
             destination {
                 port 1287,1288
             }
             log disable
             protocol tcp
             state {
                 new enable
             }
         }
         rule 20 {
             action accept
             description "Allow UDP to Multicast"
             destination {
                 address 224.0.0.0/4
             }
             log disable
             protocol udp
             state {
                 new enable
             }
         }
         rule 25 {
             action accept
             description "Allow icmp"
             log disable
             protocol icmp
             state {
                 established enable
                 related enable
             }
         }
         rule 30 {
             action accept
             description "Allow igmp"
             log disable
             protocol igmp
         }
         rule 100 {
             action drop
             description "Drop invalid state"
             log disable
             protocol all
             state {
                 established disable
                 invalid enable
                 new disable
                 related disable
             }
         }
     }
     name WAN_LOCAL {
         default-action drop
         description "WAN to Router"
         enable-default-log
         rule 5 {
             action accept
             description "Allow Multicast"
             destination {
                 address 224.0.0.0/4
             }
             log disable
         }
         rule 10 {
             action accept
             description "Allow established/related"
             log disable
             state {
                 established enable
                 related enable
             }
         }
         rule 100 {
             action drop
             description "Drop invalid state"
             log enable
             protocol all
             state {
                 established disable
                 invalid enable
                 new disable
                 related disable
             }
         }
     }
     options {
         mss-clamp {
             mss 1452
         }
     }
     receive-redirects disable
     send-redirects enable
     source-validation disable
     syn-cookies enable
 }

 

View solution in original post


All Replies
New Member
Posts: 28
Registered: ‎06-20-2014
Kudos: 8
Solutions: 2

Re: Firewall and IGMP-Proxy

Solved.

I did the following (and it works!)...

Please, suggestions for improvement are more than welcome!

 firewall {
     all-ping enable
     broadcast-ping disable
     ipv6-receive-redirects disable
     ipv6-src-route disable
     ip-src-route disable
     log-martians enable
     name WAN_IN {
         default-action drop
         description "WAN to LAN"
         enable-default-log
         rule 5 {
             action accept
             description "Allow Multicast"
             destination {
                 address 224.0.0.0/4
             }
             log disable
         }
         rule 10 {
             action accept
             description "Allow established/related"
             log disable
             state {
                 established enable
                 invalid disable
                 new disable
                 related enable
             }
         }
         rule 15 {
             action accept
             description "Allow TCP ports 1287, 1288"
             destination {
                 port 1287,1288
             }
             log disable
             protocol tcp
             state {
                 new enable
             }
         }
         rule 20 {
             action accept
             description "Allow UDP to Multicast"
             destination {
                 address 224.0.0.0/4
             }
             log disable
             protocol udp
             state {
                 new enable
             }
         }
         rule 25 {
             action accept
             description "Allow icmp"
             log disable
             protocol icmp
             state {
                 established enable
                 related enable
             }
         }
         rule 30 {
             action accept
             description "Allow igmp"
             log disable
             protocol igmp
         }
         rule 100 {
             action drop
             description "Drop invalid state"
             log disable
             protocol all
             state {
                 established disable
                 invalid enable
                 new disable
                 related disable
             }
         }
     }
     name WAN_LOCAL {
         default-action drop
         description "WAN to Router"
         enable-default-log
         rule 5 {
             action accept
             description "Allow Multicast"
             destination {
                 address 224.0.0.0/4
             }
             log disable
         }
         rule 10 {
             action accept
             description "Allow established/related"
             log disable
             state {
                 established enable
                 related enable
             }
         }
         rule 100 {
             action drop
             description "Drop invalid state"
             log enable
             protocol all
             state {
                 established disable
                 invalid enable
                 new disable
                 related disable
             }
         }
     }
     options {
         mss-clamp {
             mss 1452
         }
     }
     receive-redirects disable
     send-redirects enable
     source-validation disable
     syn-cookies enable
 }

 

Regular Member
Posts: 334
Registered: ‎04-25-2014
Kudos: 273
Solutions: 13

Re: Firewall and IGMP-Proxy

It looks to me like your rule 20 (WAN_IN) is completely redundant, as matching traffic will always be catched by rule 5 (WAN_IN).

By the way, are you aware of this document on firewall IGMP-proxies?

New Member
Posts: 28
Registered: ‎06-20-2014
Kudos: 8
Solutions: 2

Re: Firewall and IGMP-Proxy

Hi!

I agree. And wondering why my ISP put a similar rules set into their own box...

Anyhow, I will fine tune my firewall according to your suggestion. Also planning to split the icmp rule, to allow specific packet type.

 

Thank you!

Regular Member
Posts: 334
Registered: ‎04-25-2014
Kudos: 273
Solutions: 13

Re: Firewall and IGMP-Proxy

I think your rule 5 can be removed, as multicast traffic is never forwarded (chain in). It is only directed to the router itself (chain local). Could you please remove the rule and check whether everything still works for you? Please report back.

New Member
Posts: 28
Registered: ‎06-20-2014
Kudos: 8
Solutions: 2

Re: Firewall and IGMP-Proxy

[ Edited ]

Hello rjh2805,

Actually, removing WAN_IN rule 5 will stop my stream. Looks like I need it.

Btw, I removed only rule 20 as suggested earlier and it works fine.

Reply