MediaTomb is a DLNA server on Linux that is great to stream movies and music from a NAS or any network storage to a TV or any compatible device.
The server magically appears on the TV, and from there you can browse the disk for media. Its one big flaw: there is no authentication. Anybody on the network can not only see that you have a DLNA server running, but also watch all your content.
There are many tutorials out there to explain you how to setup MediaTomb (which is simple thanks to its Web interface and one change in the XML configuration to enable some authentication on the web page).
What you don't find is how to prevent people from seeing the DLNA server and watching the content.
This can be done easily, supposing the IP address of the client (such as a TV) never changes.
Simply add the appropriate rules in Netfilter to allow the one client to access the server, and block traffic for everyone else:
In my configuration, the default policy for the INPUT chain is DROP. Rule number 3 allows anybody from the network to access services on the server (which is not that secure, but well...). You can look at the line numbers by typing iptables -vnL --line-number. (no s at the end)
To only let 172.16.0.123 to access MediaTomb:
iptables -I INPUT 3 -i eth1 -p udp --dport 1900 -d 172.16.0.123 -j ACCEPT
iptables -I INPUT 4 -i eth1 -p tcp --dport 1900 -d 172.16.0.123 -j ACCEPT
iptables -I INPUT 5 -i eth1 -p tcp --dport 1900 -j DROP
iptables -I INPUT 6 -i eth1 -p udp --dport 1900 -j DROP
You can do the same for the web configuration interface but I didn't bother because the username / password that can be set. I let this exercise for you. (The IP address will be your computer's).
Note : There is probably a way to specify a port both for TCP and UDP in the same rule, but I couldn't find it.
Also, eth1 is my LAN network interface. For this interface everything but DLNA is accepted. With the WAN interface, accepted traffic is an exception, so there was no need to write new rules.
No comments:
Post a Comment