Make multicast packets local-only?

The situation:

I have two computers, PC1 and PC2, each running multiple multicast-
utilizing applications (specifically, UPNP). Each app multicasts its
presence via SSDP (239.255.255.250), allowing other applications on
PC1 and PC2 to discover it.

My goal:

What I want to do is to prevent PC2 (and PC3, PC4, etc.) from
detecting multicast applications running on PC1. The PC1 apps must
still be able to detect each other, and also be able to detect
multicast apps on PC2.

Is this possible?

- Lance F.

On 02/23/2007 01:21 PM, Lance F. wrote:
> The situation:
>
> I have two computers, PC1 and PC2, each running multiple multicast-
> utilizing applications (specifically, UPNP). Each app multicasts its
> presence via SSDP (239.255.255.250), allowing other applications on
> PC1 and PC2 to discover it.
>
> My goal:
>
> What I want to do is to prevent PC2 (and PC3, PC4, etc.) from
> detecting multicast applications running on PC1. The PC1 apps must
> still be able to detect each other, and also be able to detect
> multicast apps on PC2.
>
> Is this possible?

Yes, sure.

--
Dr Balwinder S "bsd" Dheeman Registered Linux User: #229709
Anu'z Linux@HOME Machines: #168573, 170593, 259192
Chandigarh, UT, 160062, India Gentoo, Fedora, Knoppix/FreeBSD/XP
Home: http://cto.homelinux.net/~bsd/ Visit: http://counter.li.org/

On Feb 23, 11:08 pm, "Balwinder S \"bsd\" Dheeman"
<bsd.SANS...@cto.homelinux.net> wrote:
> On 02/23/2007 01:21 PM, Lance F. wrote:
>
> > The situation:
>
> > I have two computers, PC1 and PC2, each running multiple multicast-
> > utilizing applications (specifically, UPNP). Each app multicasts its
> > presence via SSDP (239.255.255.250), allowing other applications on
> > PC1 and PC2 to discover it.
>
> > My goal:
>
> > What I want to do is to prevent PC2 (and PC3, PC4, etc.) from
> > detecting multicast applications running on PC1. The PC1 apps must
> > still be able to detect each other, and also be able to detect
> > multicast apps on PC2.
>
> > Is this possible?
>
> Yes, sure.

My second question, then, is how?

I've tried settings a rule with iptables, such as:

iptables -D OUTPUT -s <local ip> -d 239.255.255.250/32 -j DROP

.... but then local applications can't see the packets, either.

I've also looked into mrouted, smcroute and pimd, but it looked like
they are used for a different purpose (routing between two different
interfaces).

Any suggestions on what software to use, what steps to take, etc.,
would be greatly appreciated.

- Lance F.

On 02/24/2007 06:43 AM, Lance F. wrote:
> On Feb 23, 11:08 pm, "Balwinder S \"bsd\" Dheeman"
> <bsd.SANS...@cto.homelinux.net> wrote:
>> On 02/23/2007 01:21 PM, Lance F. wrote:
>>
>>> The situation:
>>> I have two computers, PC1 and PC2, each running multiple multicast-
>>> utilizing applications (specifically, UPNP). Each app multicasts its
>>> presence via SSDP (239.255.255.250), allowing other applications on
>>> PC1 and PC2 to discover it.
>>> My goal:
>>> What I want to do is to prevent PC2 (and PC3, PC4, etc.) from
>>> detecting multicast applications running on PC1. The PC1 apps must
>>> still be able to detect each other, and also be able to detect
>>> multicast apps on PC2.
>>> Is this possible?
>> Yes, sure.
>
> My second question, then, is how?
>
> I've tried settings a rule with iptables, such as:
>
> iptables -D OUTPUT -s <local ip> -d 239.255.255.250/32 -j DROP
>
> ... but then local applications can't see the packets, either.
>
> I've also looked into mrouted, smcroute and pimd, but it looked like
> they are used for a different purpose (routing between two different
> interfaces).
>
> Any suggestions on what software to use, what steps to take, etc.,
> would be greatly appreciated.

Try these rules in the following sequence and, or order:

iptables -D OUTPUT -s <ip.add.ress.PC1> -d 239.255.255.250 -j ACCEPT
iptables -D OUTPUT -s <ip.add.ress.PC2> -d 239.255.255.250 -j ACCEPT
iptables -D OUTPUT -s <ur.lo.cal.net/work> -d 239.255.255.250 -j DROP

Cheers!
--
Dr Balwinder S "bsd" Dheeman Registered Linux User: #229709
Anu'z Linux@HOME Machines: #168573, 170593, 259192
Chandigarh, UT, 160062, India Gentoo, Fedora, Knoppix/FreeBSD/XP
Home: http://cto.homelinux.net/~bsd/ Visit: http://counter.li.org/

On Feb 25, 3:33 pm, "Balwinder S \"bsd\" Dheeman"
<bsd.SANS...@cto.homelinux.net> wrote:
> On 02/24/2007 06:43 AM, Lance F. wrote:
>
>
>
> > On Feb 23, 11:08 pm, "Balwinder S \"bsd\" Dheeman"
> > <bsd.SANS...@cto.homelinux.net> wrote:
> >> On 02/23/2007 01:21 PM, Lance F. wrote:
>
> >>> The situation:
> >>> I have two computers, PC1 and PC2, each running multiple multicast-
> >>> utilizing applications (specifically, UPNP). Each app multicasts its
> >>> presence via SSDP (239.255.255.250), allowing other applications on
> >>> PC1 and PC2 to discover it.
> >>> My goal:
> >>> What I want to do is to prevent PC2 (and PC3, PC4, etc.) from
> >>> detecting multicast applications running on PC1. The PC1 apps must
> >>> still be able to detect each other, and also be able to detect
> >>> multicast apps on PC2.
> >>> Is this possible?
> >> Yes, sure.
>
> > My second question, then, is how?
>
> > I've tried settings a rule with iptables, such as:
>
> > iptables -D OUTPUT -s <local ip> -d 239.255.255.250/32 -j DROP
>
> > ... but then local applications can't see the packets, either.
>
> > I've also looked into mrouted, smcroute and pimd, but it looked like
> > they are used for a different purpose (routing between two different
> > interfaces).
>
> > Any suggestions on what software to use, what steps to take, etc.,
> > would be greatly appreciated.
>
> Try these rules in the following sequence and, or order:
>
> iptables -D OUTPUT -s <ip.add.ress.PC1> -d 239.255.255.250 -j ACCEPT
> iptables -D OUTPUT -s <ip.add.ress.PC2> -d 239.255.255.250 -j ACCEPT
> iptables -D OUTPUT -s <ur.lo.cal.net/work> -d 239.255.255.250 -j DROP

Thank you for the response.

Unfortunately, these rules do not produce the result I had been
looking for.

However, since that time I've realized that this method would not work
for my project, anyways. Along with blocking presence advertisements,
I also have to ignore incoming 'search' packets (but not other
incoming packets); a simple routing rule would not take care of both
of these issues.

- Lance F.