[jitsi-users] videobridge and port


#1

Hi everybody
I've some questions about ports and videobridge.
My server is at home, behind an internet box, so behind a nat. I've installed Jitsi-meet on my server, and forwared ports 443,4443 (TCP) and 10000 (udp) to my server, and open these ports on my server.Everything is ok, when I do a tcpdump port 10000 on my server, I see traffics (when there's a conversation obviously).
BUT: when I don't forwared port 10000 on my box to my server: everything is ok, and I see traffics on this port (10000) with tcpdump ???
And if I close this port on the server's firewall, everything is ok and I see traffic on this port ...???:

yann# cat /etc/iptables.rules *filter-F-X-P INPUT DROP-P FORWARD DROP-P OUTPUT ACCEPT-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT# ssh-A INPUT -p tcp --dport 22 -j ACCEPT# jitsi-meet-A INPUT -p tcp --dport 4443 -j ACCEPT-A INPUT -p tcp --dport 443 -j ACCEPT-A INPUT -p udp --dport 10000 -j DROP

COMMIT
yann# iptables-restore < /etc/iptables.rules yann# iptables -LChain INPUT (policy DROP)target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHEDACCEPT tcp -- anywhere anywhere tcp dpt:sshACCEPT tcp -- anywhere anywhere tcp dpt:4443ACCEPT tcp -- anywhere anywhere tcp dpt:httpsDROP udp -- anywhere anywhere udp dpt:10000
Chain FORWARD (policy DROP)target prot opt source destination
Chain OUTPUT (policy ACCEPT)target prot opt source destination

yann# tcpdump port 1000015:12:16.022038 IP XXXXXX.ddns.net.10000 > t430.home.52214: UDP, length 5015:12:16.034700 IP lolotte-lenovo-b50-30.home.51455 > XXXXXX.ddns.net.10000: UDP, length 2215:12:16.055907 IP t430.home.52214 > XXXXXX.ddns.net.10000: UDP, length 5015:12:16.055930 IP t430.home.52214 > XXXXXX.ddns.net.10000: UDP, length 2215:12:16.056393 IP XXXXXX.ddns.net.10000 > lolotte-lenovo-b50-30.home.51455: UDP, length 4215:12:16.056535 IP XXXXXX.ddns.net.10000 > lolotte-lenovo-b50-30.home.51455: UDP, length 9315:12:16.060868 IP t430.home.52214 > XXXXXX.ddns.net.10000: UDP, length 9315:12:16.182548 IP t430.home.52214 > XXXXXX.ddns.net.10000: UDP, length 10415:12:16.182933 IP XXXXXX.ddns.net.10000 > t430.home.52214: UDP, length 10415:12:16.240624 IP t430.home.52214 > XXXXXX.ddns.net.10000: UDP, length 2215:12:16.321460 IP XXXXXX.ddns.net.10000 > t430.home.52214: UDP, length 11615:12:16.324192 IP t430.home.52214 > XXXXXX.ddns.net.10000: UDP, length 6415:12:16.385143 IP t430.home.52214 > XXXXXX.ddns.net.10000: UDP, length 2215:12:16.478603 IP lolotte-lenovo-b50-30.home.51455 > XXXXXX.ddns.net.10000: UDP, length 5015:12:16.479224 IP XXXXXX.ddns.net.10000 > t430.home.52214: UDP, length 4215:12:16.543721 IP t430.home.52214 > XXXXXX.ddns.net.10000: UDP, length 2215:12:16.898984 IP lolotte-lenovo-b50-30.home.51455 > XXXXXX.ddns.net.10000: UDP, length 2215:12:16.985077 IP t430.home.52214 > XXXXXX.ddns.net.10000: UDP, length 5015:12:16.985735 IP XXXXXX.ddns.net.10000 > lolotte-lenovo-b50-30.home.51455: UDP, length 4215:12:16.990505 IP t430.home.52214 > XXXXXX.ddns.net.10000: UDP, length 2215:12:17.053357 IP lolotte-lenovo-b50-30.home.51455 > XXXXXX.ddns.net.10000: UDP, length 2215:12:17.059358 IP lolotte-lenovo-b50-30.home.51455 > XXXXXX.ddns.net.10000: UDP, length 22
My server is behind a NAT, so how is it possible ?
Is this du to this line: -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT ?

Could you explain me this please.

Yann

···

--
Envoi sécurisé avec Tutanota. Obtenez votre adresse email chiffrée aujourd'hui!


#2

Hi,

Hi everybody

I've some questions about ports and videobridge.

My server is at home, behind an internet box, so behind a nat. I've installed Jitsi-meet on my server, and forwared ports 443,4443 (TCP) and 10000 (udp) to my server, and open these ports on my server.
Everything is ok, when I do a tcpdump port 10000 on my server, I see traffics (when there's a conversation obviously).

BUT: when I don't forwared port 10000 on my box to my server: everything is ok, and I see traffics on this port (10000) with tcpdump ???

And if I close this port on the server's firewall, everything is ok and I see traffic on this port ...???:

yann# cat /etc/iptables.rules
*filter
-F
-X
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# ssh
-A INPUT -p tcp --dport 22 -j ACCEPT
# jitsi-meet
-A INPUT -p tcp --dport 4443 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
-A INPUT -p udp --dport 10000 -j DROP

COMMIT

yann# iptables-restore < /etc/iptables.rules
yann# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:4443
ACCEPT tcp -- anywhere anywhere tcp dpt:https
DROP udp -- anywhere anywhere udp dpt:10000

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

yann# tcpdump port 10000
15:12:16.022038 IP XXXXXX.ddns.net.10000 > t430.home.52214: UDP, length 50
15:12:16.034700 IP lolotte-lenovo-b50-30.home.51455 > XXXXXX.ddns.net.10000: UDP, length 22
15:12:16.055907 IP t430.home.52214 > XXXXXX.ddns.net.10000: UDP, length 50
15:12:16.055930 IP t430.home.52214 > XXXXXX.ddns.net.10000: UDP, length 22
15:12:16.056393 IP XXXXXX.ddns.net.10000 > lolotte-lenovo-b50-30.home.51455: UDP, length 42
15:12:16.056535 IP XXXXXX.ddns.net.10000 > lolotte-lenovo-b50-30.home.51455: UDP, length 93
15:12:16.060868 IP t430.home.52214 > XXXXXX.ddns.net.10000: UDP, length 93
15:12:16.182548 IP t430.home.52214 > XXXXXX.ddns.net.10000: UDP, length 104
15:12:16.182933 IP XXXXXX.ddns.net.10000 > t430.home.52214: UDP, length 104
15:12:16.240624 IP t430.home.52214 > XXXXXX.ddns.net.10000: UDP, length 22
15:12:16.321460 IP XXXXXX.ddns.net.10000 > t430.home.52214: UDP, length 116
15:12:16.324192 IP t430.home.52214 > XXXXXX.ddns.net.10000: UDP, length 64
15:12:16.385143 IP t430.home.52214 > XXXXXX.ddns.net.10000: UDP, length 22
15:12:16.478603 IP lolotte-lenovo-b50-30.home.51455 > XXXXXX.ddns.net.10000: UDP, length 50
15:12:16.479224 IP XXXXXX.ddns.net.10000 > t430.home.52214: UDP, length 42
15:12:16.543721 IP t430.home.52214 > XXXXXX.ddns.net.10000: UDP, length 22
15:12:16.898984 IP lolotte-lenovo-b50-30.home.51455 > XXXXXX.ddns.net.10000: UDP, length 22
15:12:16.985077 IP t430.home.52214 > XXXXXX.ddns.net.10000: UDP, length 50
15:12:16.985735 IP XXXXXX.ddns.net.10000 > lolotte-lenovo-b50-30.home.51455: UDP, length 42
15:12:16.990505 IP t430.home.52214 > XXXXXX.ddns.net.10000: UDP, length 22
15:12:17.053357 IP lolotte-lenovo-b50-30.home.51455 > XXXXXX.ddns.net.10000: UDP, length 22
15:12:17.059358 IP lolotte-lenovo-b50-30.home.51455 > XXXXXX.ddns.net.10000: UDP, length 22

My server is behind a NAT, so how is it possible ?

Is this du to this line: -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT ?

Yes. The bridge will start sending binding requests as soon as it receives a candidate for the client. So subsequent packets from the client will match RELATED (I think).

Note that this might not work in all cases, e.g. if the clients are behind certain types of NATs. We recommend that you allow all incoming packets on UDP/10000 for the bridge. And for testing you can explicitly add "--dport 10000 -j DROP" early in the INPUT chain.

Regards,
Boris

···

On 27/05/2018 14:37, yannick.rousseau@tutanota.com wrote: