RTSP IP tables

by on under networking
1 minute read

RTSP forwarding

This is similar to a “data diode”.

For this example I am using a Raspberry Pi with two NICs. On board NIC (secondary network and USB NIC (primary network

The dest device is another host on the secondary network (

My PC I use to test the configuration is on the primary network (

This allows me to join two networks securely while only allowing TCP traffic over a specific port flowing in one direction.

Pre setup

Image raspbian lite to a SD card.

Add ssh file to boot partiton.

Edit before putting imaged SD card into Pi

sudo nano /etc/dhcpcd.conf 

interface eth0
static ip_address=

interface eth1
static ip_address=

Edit after the Pi has booted for first time using SSH

ssh pi@

Enable IP forward in Linux

Uncomment the following line in the file

sudo nano /etc/sysctl.conf

net.ipv4.ip_forward = 1

Optionally change hostname

sudo nano /etc/hosts and sudo nano /etc/hostname

Reboot the Pi(firewall).

Allow traffic to be NAT to dest device

We specify the port the Pi(firewall) is listening on with --dport

Then we specify the device behind the Pi(firewall) and what port it’s listening on with --to-destination

sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination

Make it persistent across reboots, there is a few ways of doing this but quick and dirty add this to roots crontab.

@reboot /usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination

You can check the rule is in place with: sudo iptables -t nat -L

Test use MPV to try connect through the Pi(firewall)

Generally RTSP is TCP.

We use the Pi(firewall) IP here.

mpv rtsp://admin:password@

Flow of traffic

PC desktop ( –> Pi primary NIC ( –> NAT and IP forwarding –> Pi secondary NIC ( –> Dest RTSP server (

comments powered by Disqus