[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[opensuse-security] Custom iptables command doesn't work as expected



Hi,

I try to use an iptables command in conjunction with SuSEfirewall2 
(version 3.6.295 on openSUSE 12.2, kernel-desktop-3.4.47-2.38.1.x86_64).

Using it standalone, it works as expected:

SuSEfirewall2 stop
iptables -t nat -A OUTPUT -p tcp --dport 1935 -m owner \! --uid-owner root -j REDIRECT

Running rtmpsuck (2.3) behaves as expected (mostly), it catches flv streams,
that you display with your browser, and stores them.. (if not, try to 
restart rtmpsuck.)

If this iptables command is integrated in 

/etc/sysconfig/scripts/SuSEfirewall2-custom

it doesn't work anymore: rtmpsuck doesn't detect any streams.

SuSEfirewall2 non-default settings (LAN-client):
FW_DEV_INT="eth0 eth1"
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_PROTECT_FROM_INT="no"
FW_KERNEL_SECURITY="no"
FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"

The yes and no settings are an attempt to fix the issue in question.

I would think, it doesn't matter, from which custom callback this command
is executed, but I tried all of them without luck already. What's really 
strange is, SuSEfirewall2 status shows the relevant entry correctly:

### iptables nat ###
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1935 ! owner UID match 0

and yes, I call rtmpsuck as root (for testing purposes).

BTW, I got best results with rtmpsuck version 2.3. Neither Packmans git 
version, nor a self backed one based on current git "behaved" well.
Since version 2.3 isn't easily available for openSUSE, you can fetch it 
here:

  https://build.opensuse.org/package/show/home:frispete:tools/rtmpdump

Does somebody in the audience have an idea, why this doesn't work together
with SuSEfirewall2?

Thanks in advance,
Pete
-- 
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-security+owner@xxxxxxxxxxxx