2

I'm managing (edit: is hosted by VPS hoster) small machine for couple of game servers and website server (apache) together with some friends. Problem is firewall sometimes drops UDP packets. The reason why I said "sometimes" is because I couldn't find any rule for this. I will explain a little bit more few lines lower.

Machine is running on Ubuntu 14.04.3 LTS (GNU/Linux 3.14.32-xxxx-grs-ipv6-64 x86_64). For firewall configuration I'm using ufw. I'm running apache2, mysql, ftp, ssh, arma3, arma2, csgo and insurgency servers.

UDP "connections" work fine:

  • during gameplay, after "connection" was properly established
  • after reciving TCP packets

UDP "connections" don't work:

  • when randomly "pinging" (e.g. via netcat -u)
  • sometimes when gametracker tries to query game servers
  • when any other server list lobby queries servers
  • basically almost every time when sending first packet from client in short peroid of time

Server IP replaced with 123.123.12.123.

ufw status verbose gives:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere
21/tcp                     ALLOW IN    Anywhere
80/tcp                     ALLOW IN    Anywhere
2300:2305/udp              ALLOW IN    Anywhere
2380:2385/udp              ALLOW IN    Anywhere
27015                      ALLOW IN    Anywhere
27000:27014/udp            ALLOW IN    Anywhere
27016:27030/udp            ALLOW IN    Anywhere
4380/udp                   ALLOW IN    Anywhere
28015                      ALLOW IN    Anywhere
28000:28014/udp            ALLOW IN    Anywhere
28016:28030/udp            ALLOW IN    Anywhere
26901/udp                  ALLOW IN    Anywhere
53                         ALLOW IN    Anywhere
26902/udp                  ALLOW IN    Anywhere
42367                      ALLOW IN    Anywhere
22/tcp (v6)                ALLOW IN    Anywhere (v6)
21/tcp (v6)                ALLOW IN    Anywhere (v6)
80/tcp (v6)                ALLOW IN    Anywhere (v6)
2300:2305/udp (v6)         ALLOW IN    Anywhere (v6)
2380:2385/udp (v6)         ALLOW IN    Anywhere (v6)
27015 (v6)                 ALLOW IN    Anywhere (v6)
27000:27014/udp (v6)       ALLOW IN    Anywhere (v6)
27016:27030/udp (v6)       ALLOW IN    Anywhere (v6)
4380/udp (v6)              ALLOW IN    Anywhere (v6)
28015 (v6)                 ALLOW IN    Anywhere (v6)
28000:28014/udp (v6)       ALLOW IN    Anywhere (v6)
28016:28030/udp (v6)       ALLOW IN    Anywhere (v6)
26901/udp (v6)             ALLOW IN    Anywhere (v6)
53 (v6)                    ALLOW IN    Anywhere (v6)
26902/udp (v6)             ALLOW IN    Anywhere (v6)
42367 (v6)                 ALLOW IN    Anywhere (v6)

netstat -ntl gives:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:28015           0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:27015           0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN
tcp6       0      0 :::80                   :::*                    LISTEN
tcp6       0      0 ::1:53                  :::*                    LISTEN
tcp6       0      0 :::22                   :::*                    LISTEN
tcp6       0      0 ::1:953                 :::*                    LISTEN

netstat -nul gives:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
udp        0      0 123.123.12.123:26901    0.0.0.0:*
udp        0      0 123.123.12.123:26902    0.0.0.0:*
udp        0      0 123.123.12.123:27005    0.0.0.0:*
udp        0      0 123.123.12.123:27015    0.0.0.0:*
udp        0      0 123.123.12.123:27020    0.0.0.0:*
udp        0      0 123.123.12.123:28005    0.0.0.0:*
udp        0      0 123.123.12.123:28015    0.0.0.0:*
udp        0      0 123.123.12.123:28020    0.0.0.0:*
udp        0      0 127.0.0.1:53            0.0.0.0:*
udp        0      0 0.0.0.0:2302            0.0.0.0:*
udp        0      0 0.0.0.0:2303            0.0.0.0:*
udp        0      0 0.0.0.0:2304            0.0.0.0:*
udp        0      0 0.0.0.0:2305            0.0.0.0:*
udp        0      0 123.123.12.123:2382     0.0.0.0:*
udp        0      0 123.123.12.123:2383     0.0.0.0:*
udp        0      0 123.123.12.123:2384     0.0.0.0:*
udp        0      0 123.123.12.123:2385     0.0.0.0:*
udp6       0      0 ::1:53                  :::*

iptables -L gives:

Chain INPUT (policy DROP)
target     prot opt source               destination
ufw-before-logging-input  all  --  anywhere             anywhere
ufw-before-input  all  --  anywhere             anywhere
ufw-after-input  all  --  anywhere             anywhere
ufw-after-logging-input  all  --  anywhere             anywhere
ufw-reject-input  all  --  anywhere             anywhere
ufw-track-input  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source                   estination
ufw-before-logging-forward  all  --  anywhere             anywhere
ufw-before-forward  all  --  anywhere             anywhere
ufw-after-forward  all  --  anywhere             anywhere
ufw-after-logging-forward  all  --  anywhere             anywhere
ufw-reject-forward  all  --  anywhere             anywhere
ufw-track-forward  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ufw-before-logging-output  all  --  anywhere             anywhere
ufw-before-output  all  --  anywhere             anywhere
ufw-after-output  all  --  anywhere             anywhere
ufw-after-logging-output  all  --  anywhere             anywhere
ufw-reject-output  all  --  anywhere             anywhere
ufw-track-output  all  --  anywhere             anywhere

Chain ufw-after-forward (1 references)
target     prot opt source               destination

Chain ufw-after-input (1 references)
target     prot opt source               destination
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-ns
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-dgm
ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn
ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:microsoft-ds
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootps
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootpc
ufw-skip-to-policy-input  all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
target     prot opt source               destination

Chain ufw-after-logging-input (1 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
target     prot opt source               destination

Chain ufw-after-output (1 references)
target     prot opt source               destination

Chain ufw-before-forward (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere             icmp source-quench
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ufw-user-forward  all  --  anywhere             anywhere

Chain ufw-before-input (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ufw-logging-deny  all  --  anywhere             anywhere             ctstate INVALID
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere             icmp source-quench
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc
ufw-not-local  all  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             224.0.0.251          udp dpt:mdns
ACCEPT     udp  --  anywhere             239.255.255.250      udp dpt:1900
ufw-user-input  all  --  anywhere             anywhere

Chain ufw-before-logging-forward (1 references)
target     prot opt source               destination

Chain ufw-before-logging-input (1 references)
target     prot opt source               destination

Chain ufw-before-logging-output (1 references)
target     prot opt source               destination

Chain ufw-before-output (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ufw-user-output  all  --  anywhere             anywhere

Chain ufw-logging-allow (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere             ctstate INVALID limit: avg 3/min burst 10
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type MULTICAST
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
ufw-logging-deny  all  --  anywhere             anywhere             limit: avg 3/min burst 10
DROP       all  --  anywhere             anywhere

Chain ufw-reject-forward (1 references)
target     prot opt source               destination

Chain ufw-reject-input (1 references)
target     prot opt source               destination

Chain ufw-reject-output (1 references)
target     prot opt source               destination

Chain ufw-skip-to-policy-forward (0 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain ufw-skip-to-policy-input (7 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere

Chain ufw-skip-to-policy-output (0 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain ufw-track-forward (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW

Chain ufw-track-input (1 references)
target     prot opt source               destination

Chain ufw-track-output (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW

Chain ufw-user-forward (1 references)
target     prot opt source               destination

Chain ufw-user-input (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     udp  --  anywhere             anywhere             multiport dports 2300:2305
ACCEPT     udp  --  anywhere             anywhere             multiport dports 2380:2385
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:27015
ACCEPT     udp  --  anywhere             anywhere             udp dpt:27015
ACCEPT     udp  --  anywhere             anywhere             multiport dports 27000:27014
ACCEPT     udp  --  anywhere             anywhere             multiport dports 27016:27030
ACCEPT     udp  --  anywhere             anywhere             udp dpt:4380
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:28015
ACCEPT     udp  --  anywhere             anywhere             udp dpt:28015
ACCEPT     udp  --  anywhere             anywhere             multiport dports 28000:28014
ACCEPT     udp  --  anywhere             anywhere             multiport dports 28016:28030
ACCEPT     udp  --  anywhere             anywhere             udp dpt:26901
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:26902
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:42367
ACCEPT     udp  --  anywhere             anywhere             udp dpt:42367

Chain ufw-user-limit (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain ufw-user-logging-forward (0 references)
target     prot opt source               destination

Chain ufw-user-logging-input (0 references)
target     prot opt source               destination

Chain ufw-user-logging-output (0 references)
target     prot opt source               destination

Chain ufw-user-output (1 references)
target     prot opt source               destination

When I try to traceroute from outside (gra-3a-a9.fr.eu is not my machine):

traceroute to 123.123.12.123 (123.123.12.123), 30 hops max, 60 byte packets
 1  * * *
 2  weservit.openpeering.telecity2.jointtransit.nl (217.170.23.236)  1.679 ms  1.626 ms  1.699 ms
 3  telecity-ixr.openpeering.nl (217.170.0.244)  2.192 ms  2.174 ms  2.250 ms
 4  * * *
 5  gra-g2-a9.fr.eu (213.251.128.28)  10.383 ms  10.367 ms  10.342 ms
 6  gra-3a-a9.fr.eu (37.187.231.88)  9.001 ms gra-3b-a9.fr.eu (37.187.231.92)  9.386 ms  9.331 ms
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

I tried to do an small experiment:

// SERVER:
user@server:~$ sudo ufw status verbose | grep 42367
42367                      ALLOW IN    Anywhere
42367 (v6)                 ALLOW IN    Anywhere (v6)
user@server:~$ netcat -ul 42367
^C
user@server:~$ netcat -l 42367
b
it does work
user@server:~$ netcat -ul 42367
c
it does work
^C
user@server:~$

// CLIENT:
user@client:~$ netcat -u 123.123.12.123 42367
a
it doesnt work
^C
user@client:~$ netcat 123.123.12.123 42367
b
it does work
^C
user@client:~$ netcat -u 123.123.12.123 42367
c
it does work
^C
user@client:~$

I'm almost sure that I have skipped something really important (and stupid, duh) during configuration and that's why it doesn't work. Question is: what is the thing I skipped and now it doesn't let UDP to work properly?

If any other information is needed - comment.

Thank you for any answer in advance! Sorry for long post; no potatoe.

Improve this question
9
  • The issue is that sometimes some datagrams don't reach the machine?
    – nKn
    Commented Jan 12, 2016 at 19:50
  • They drop almost everytime when they are not used in way stated in 3rd paragraph. Added further description in 3rd and 4th paragraph.
    – Aki
    Commented Jan 12, 2016 at 20:05
  • Sounds like the things that work are triggering the "RELATED,ESTABLISHED" rules, causing your other (wrong) rules to be skipped. (In particular, UDP has no ESTABLISHED connection state, but iptables may consider UDP packets to be RELATED to earlier UDP or TCP packets)
    – Ben Voigt
    Commented Jan 12, 2016 at 20:08
  • UDP is a stateless unreliable protocol, that means that nobody guarantees that all datagrams will reach their destination. There's neither a concept like a "established" connection when talking about UDP; so if it's not a 100% drop issue, I'd check if it could be related to the own protocol's nature
    – nKn
    Commented Jan 12, 2016 at 20:08
  • I strongly suggest using the iptables match counters for debugging this. Run iptables with the -v option both before and after attempting netcat, see which rules have increased in match count.
    – Ben Voigt
    Commented Jan 12, 2016 at 20:09

1 Answer 1

Reset to default
1

I'm leaving an answer because someone may encounter same problem.

Okey, as seen from results from traceroute the packets were "stopped" just before my server. That could mean two things: my firewall or some filtering of outgoing packets on previous server.

As suggested by @BenVoigt I have used iptables -vL command and compared amount of bytes per rule. After few times I was almost sure that the problem is not related to my firewall configuration.

My next step was contacting ISP. After several messages we finally found out why the packets were droping. Somewhere hidden in deep abyss of their configuration panel there was an option of UDP packets filtering which was turned on by default. Turning it off solved problem.

Yep, that's pretty much everything. As I said somewhere in first post, I knew the solution was easy.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .