Firewalld unable to allow multicast forwarding between two zones
by MastaG from LinuxQuestions.org on (#5GP3K)
Hi there,
I'm trying to setup multicast forwarding to get my IPTV stb working in my local network. For forwarding I'm using igmpproxy which is working, however I can't get firewalld to allow the actual forward rules.
eno2.640 is the IPTV upstream interface. It's in my "iptv" zone:
firewall-cmd --zone=iptv --list-all
iptv (active)
target: default
icmp-block-inversion: no
interfaces: eno2.640
sources:
services:
ports:
protocols: igmp
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" destination address="224.0.0.0/4" protocol value="udp" accept
rule family="ipv4" protocol value="igmp" accept
eno1.10 is my local network (192.168.0.1/24). It's in my internal zone:
internal (active)
target: default
icmp-block-inversion: no
interfaces: eno1.10
sources:
services:
ports:
protocols: igmp
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" destination address="224.0.0.0/4" protocol value="udp" accept
rule family="ipv4" protocol value="igmp" accept
I've added the igmp protocol to both zones and added rhich rules to accept multicast traffic for destination 224.0.0.0/4 and allow the igmp protocol.
Also I enabled masquerade on the iptv zone as some routing is done using the IPTV gateway.
Furthermore I've added the following direct rules:
ipv4 filter FORWARD 0 -o eno1.10 -i eno2.640 -j ACCEPT
ipv4 filter FORWARD 0 -m pkttype --pkt-type multicast -j ACCEPT
ipv4 raw PREROUTING 0 -i eno2.640 -d 224.0.0.0/4 -j ACCEPT
ipv4 filter INPUT 0 -d 224.0.0.0/4 -j ACCEPT
ipv4 filter INPUT 0 -m pkttype --pkt-type multicast -j ACCEPT
ipv4 nat POSTROUTING 0 -o eno2.640 -j MASQUERADE
Still the kernel is rejecting the multicast traffic:
[1205865.976323] FINAL_REJECT: IN=eno2.640 OUT=eno1.10 MAC=01:00:5e:41:80:74:00:0e:00:00:00:02:08:00 SRC=10.201.2.6 DST=239.193.128.116 LEN=1344 TOS=0x08 PREC=0x80 TTL=17 ID=37 DF PROTO=UDP SPT=5116 DPT=10116 LEN=1324
Any ideas on how to allow forwarding it to my local network?
I'm trying to setup multicast forwarding to get my IPTV stb working in my local network. For forwarding I'm using igmpproxy which is working, however I can't get firewalld to allow the actual forward rules.
eno2.640 is the IPTV upstream interface. It's in my "iptv" zone:
firewall-cmd --zone=iptv --list-all
iptv (active)
target: default
icmp-block-inversion: no
interfaces: eno2.640
sources:
services:
ports:
protocols: igmp
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" destination address="224.0.0.0/4" protocol value="udp" accept
rule family="ipv4" protocol value="igmp" accept
eno1.10 is my local network (192.168.0.1/24). It's in my internal zone:
internal (active)
target: default
icmp-block-inversion: no
interfaces: eno1.10
sources:
services:
ports:
protocols: igmp
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" destination address="224.0.0.0/4" protocol value="udp" accept
rule family="ipv4" protocol value="igmp" accept
I've added the igmp protocol to both zones and added rhich rules to accept multicast traffic for destination 224.0.0.0/4 and allow the igmp protocol.
Also I enabled masquerade on the iptv zone as some routing is done using the IPTV gateway.
Furthermore I've added the following direct rules:
ipv4 filter FORWARD 0 -o eno1.10 -i eno2.640 -j ACCEPT
ipv4 filter FORWARD 0 -m pkttype --pkt-type multicast -j ACCEPT
ipv4 raw PREROUTING 0 -i eno2.640 -d 224.0.0.0/4 -j ACCEPT
ipv4 filter INPUT 0 -d 224.0.0.0/4 -j ACCEPT
ipv4 filter INPUT 0 -m pkttype --pkt-type multicast -j ACCEPT
ipv4 nat POSTROUTING 0 -o eno2.640 -j MASQUERADE
Still the kernel is rejecting the multicast traffic:
[1205865.976323] FINAL_REJECT: IN=eno2.640 OUT=eno1.10 MAC=01:00:5e:41:80:74:00:0e:00:00:00:02:08:00 SRC=10.201.2.6 DST=239.193.128.116 LEN=1344 TOS=0x08 PREC=0x80 TTL=17 ID=37 DF PROTO=UDP SPT=5116 DPT=10116 LEN=1324
Any ideas on how to allow forwarding it to my local network?