Is it possible to duplicate a UDP unicast stream with iptables?

iptables udp video-streaming

I have a proprietary system which transmit a udp video stream from unit #1 (192.168.1.1) to unit #2 (.1.2). I can't make changes to this system, and I'm trying to clone this udp stream so I can access it in a different program. This program will do stuff with the video and send it out again as a multicast stream.

I'm hoping to do this using a Linux machine (running Ubuntu Server 12.04 now) with three network cards. By connecting unit #1 and #2 to two of the network cards (eth0 and eth1) in the Linux machine and using bridge, I've got them communicating. My /etc/network/interfaces looks like:

# The loopback network interface
auto lo
iface lo inet loopback

# The external interface
auto eth3
iface eth3 inet static
address 192.168.10.2
netmask 255.255.255.0

# The bridge interface
auto br0
iface br0 inet manual
  bridge_ports eth0 eth1

This works, and by using tcpdump I've confirmed that the udp packets are arriving from #1 and are heading towards #2 at port 6000.

The next step I hope will work is to use iptables to clone all udp packets comming from 192.168.1.1 going to port 6000 at #2. I'm not very familiar with iptables, but after reading on line and the manual I thought this would work:

iptables -A PREROUTING -t mangle -p udp -s 192.168.1.1/32 --dport 6000 -j TEE --gateway 192.168.10.2

The rule is applied successfully, but it doesn't work. If I use tcpdump to monitor eth3 I don't see the packets there.

I'd like to grab this stream, work on it and send it out as a multicast on the .10.2 interface.

What am I doing wrong? Is there something I've misunderstood?


The packets never reach eth3 as 192.168.10.2 is the machine itself. Also the duplicated packets still have the destincation ip-address 192.168.1.2. You need to TEE them to a machine in 192.168.10.0/24 for example 192.168.10.254 so that the duplicates actually get routed over eth3.

iptables -t mangle -A PREROUTING -p udp --dport 6000 -j TEE --gateway 192.168.10.254

Then you also need to DNAT them to 192.168.10.254, so you can read the stream on 192.168.10.254 and send it out via multicasting.

Either on 192.168.10.254 itself:

iptables -t nat -A PREROUTING -p udp -d 192.168.1.2 --dport 6000 -j DNAT --to-destination 192.168.10.254:6000

Or still on 192.168.10.2 before the packets are leaving eth3:

iptables -t nat -A POSTROUTING -o eth3 -p udp -d 192.168.1.2 --dport 6000 -j DNAT --to-destination 192.168.10.254:6000

Related

Track memory usage of a job on SGE
Maintenance of tables: do I need to REINDEX a table after truncating and repopulating?
Connecting two devices over 10Base-T Ethernet without a Switch
Reset Domain Trust with workstations from Samba 3.x server
How Fibre Channel Frames are populated and traverse a Fabric?
Is there a way to control where a windows update extracts temporary files?
How to tell if SSL session caching is in fact working correctly with Apache 2.2?
IBM System i Permissions on Database views
Safely providing passwords to a linux daemon
Need to DUPLICATE HTTP requests to two servers
PowerShell DSC Group Resource - "Could not find a principal with the provided name"
Amazon: How do I know if I need Provisioned IOPS?