I'm managing (edit: is hosted by VPS hoster) small machine for couple of game servers and website server (apache) together with some friends. Problem is firewall sometimes drops UDP packets. The reason why I said "sometimes" is because I couldn't find any rule for this. I will explain a little bit more few lines lower.
Machine is running on Ubuntu 14.04.3 LTS (GNU/Linux 3.14.32-xxxx-grs-ipv6-64 x86_64). For firewall configuration I'm using ufw. I'm running apache2, mysql, ftp, ssh, arma3, arma2, csgo and insurgency servers.
UDP "connections" work fine:
- during gameplay, after "connection" was properly established
- after reciving TCP packets
UDP "connections" don't work:
- when randomly "pinging" (e.g. via netcat -u)
- sometimes when gametracker tries to query game servers
- when any other server list lobby queries servers
- basically almost every time when sending first packet from client in short peroid of time
Server IP replaced with 123.123.12.123.
ufw status verbose
gives:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
21/tcp ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
2300:2305/udp ALLOW IN Anywhere
2380:2385/udp ALLOW IN Anywhere
27015 ALLOW IN Anywhere
27000:27014/udp ALLOW IN Anywhere
27016:27030/udp ALLOW IN Anywhere
4380/udp ALLOW IN Anywhere
28015 ALLOW IN Anywhere
28000:28014/udp ALLOW IN Anywhere
28016:28030/udp ALLOW IN Anywhere
26901/udp ALLOW IN Anywhere
53 ALLOW IN Anywhere
26902/udp ALLOW IN Anywhere
42367 ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
21/tcp (v6) ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
2300:2305/udp (v6) ALLOW IN Anywhere (v6)
2380:2385/udp (v6) ALLOW IN Anywhere (v6)
27015 (v6) ALLOW IN Anywhere (v6)
27000:27014/udp (v6) ALLOW IN Anywhere (v6)
27016:27030/udp (v6) ALLOW IN Anywhere (v6)
4380/udp (v6) ALLOW IN Anywhere (v6)
28015 (v6) ALLOW IN Anywhere (v6)
28000:28014/udp (v6) ALLOW IN Anywhere (v6)
28016:28030/udp (v6) ALLOW IN Anywhere (v6)
26901/udp (v6) ALLOW IN Anywhere (v6)
53 (v6) ALLOW IN Anywhere (v6)
26902/udp (v6) ALLOW IN Anywhere (v6)
42367 (v6) ALLOW IN Anywhere (v6)
netstat -ntl
gives:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:28015 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:27015 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN
tcp6 0 0 :::80 :::* LISTEN
tcp6 0 0 ::1:53 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 ::1:953 :::* LISTEN
netstat -nul
gives:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
udp 0 0 123.123.12.123:26901 0.0.0.0:*
udp 0 0 123.123.12.123:26902 0.0.0.0:*
udp 0 0 123.123.12.123:27005 0.0.0.0:*
udp 0 0 123.123.12.123:27015 0.0.0.0:*
udp 0 0 123.123.12.123:27020 0.0.0.0:*
udp 0 0 123.123.12.123:28005 0.0.0.0:*
udp 0 0 123.123.12.123:28015 0.0.0.0:*
udp 0 0 123.123.12.123:28020 0.0.0.0:*
udp 0 0 127.0.0.1:53 0.0.0.0:*
udp 0 0 0.0.0.0:2302 0.0.0.0:*
udp 0 0 0.0.0.0:2303 0.0.0.0:*
udp 0 0 0.0.0.0:2304 0.0.0.0:*
udp 0 0 0.0.0.0:2305 0.0.0.0:*
udp 0 0 123.123.12.123:2382 0.0.0.0:*
udp 0 0 123.123.12.123:2383 0.0.0.0:*
udp 0 0 123.123.12.123:2384 0.0.0.0:*
udp 0 0 123.123.12.123:2385 0.0.0.0:*
udp6 0 0 ::1:53 :::*
iptables -L
gives:
Chain INPUT (policy DROP)
target prot opt source destination
ufw-before-logging-input all -- anywhere anywhere
ufw-before-input all -- anywhere anywhere
ufw-after-input all -- anywhere anywhere
ufw-after-logging-input all -- anywhere anywhere
ufw-reject-input all -- anywhere anywhere
ufw-track-input all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source estination
ufw-before-logging-forward all -- anywhere anywhere
ufw-before-forward all -- anywhere anywhere
ufw-after-forward all -- anywhere anywhere
ufw-after-logging-forward all -- anywhere anywhere
ufw-reject-forward all -- anywhere anywhere
ufw-track-forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- anywhere anywhere
ufw-before-output all -- anywhere anywhere
ufw-after-output all -- anywhere anywhere
ufw-after-logging-output all -- anywhere anywhere
ufw-reject-output all -- anywhere anywhere
ufw-track-output all -- anywhere anywhere
Chain ufw-after-forward (1 references)
target prot opt source destination
Chain ufw-after-input (1 references)
target prot opt source destination
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootpc
ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
target prot opt source destination
Chain ufw-after-logging-input (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
target prot opt source destination
Chain ufw-after-output (1 references)
target prot opt source destination
Chain ufw-before-forward (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ufw-user-forward all -- anywhere anywhere
Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ufw-logging-deny all -- anywhere anywhere ctstate INVALID
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ufw-not-local all -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere 239.255.255.250 udp dpt:1900
ufw-user-input all -- anywhere anywhere
Chain ufw-before-logging-forward (1 references)
target prot opt source destination
Chain ufw-before-logging-input (1 references)
target prot opt source destination
Chain ufw-before-logging-output (1 references)
target prot opt source destination
Chain ufw-before-output (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ufw-user-output all -- anywhere anywhere
Chain ufw-logging-allow (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere ctstate INVALID limit: avg 3/min burst 10
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10
DROP all -- anywhere anywhere
Chain ufw-reject-forward (1 references)
target prot opt source destination
Chain ufw-reject-input (1 references)
target prot opt source destination
Chain ufw-reject-output (1 references)
target prot opt source destination
Chain ufw-skip-to-policy-forward (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-skip-to-policy-input (7 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-output (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-track-forward (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere ctstate NEW
ACCEPT udp -- anywhere anywhere ctstate NEW
Chain ufw-track-input (1 references)
target prot opt source destination
Chain ufw-track-output (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere ctstate NEW
ACCEPT udp -- anywhere anywhere ctstate NEW
Chain ufw-user-forward (1 references)
target prot opt source destination
Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT udp -- anywhere anywhere multiport dports 2300:2305
ACCEPT udp -- anywhere anywhere multiport dports 2380:2385
ACCEPT tcp -- anywhere anywhere tcp dpt:27015
ACCEPT udp -- anywhere anywhere udp dpt:27015
ACCEPT udp -- anywhere anywhere multiport dports 27000:27014
ACCEPT udp -- anywhere anywhere multiport dports 27016:27030
ACCEPT udp -- anywhere anywhere udp dpt:4380
ACCEPT tcp -- anywhere anywhere tcp dpt:28015
ACCEPT udp -- anywhere anywhere udp dpt:28015
ACCEPT udp -- anywhere anywhere multiport dports 28000:28014
ACCEPT udp -- anywhere anywhere multiport dports 28016:28030
ACCEPT udp -- anywhere anywhere udp dpt:26901
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:26902
ACCEPT tcp -- anywhere anywhere tcp dpt:42367
ACCEPT udp -- anywhere anywhere udp dpt:42367
Chain ufw-user-limit (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-user-logging-forward (0 references)
target prot opt source destination
Chain ufw-user-logging-input (0 references)
target prot opt source destination
Chain ufw-user-logging-output (0 references)
target prot opt source destination
Chain ufw-user-output (1 references)
target prot opt source destination
When I try to traceroute from outside (gra-3a-a9.fr.eu is not my machine):
traceroute to 123.123.12.123 (123.123.12.123), 30 hops max, 60 byte packets
1 * * *
2 weservit.openpeering.telecity2.jointtransit.nl (217.170.23.236) 1.679 ms 1.626 ms 1.699 ms
3 telecity-ixr.openpeering.nl (217.170.0.244) 2.192 ms 2.174 ms 2.250 ms
4 * * *
5 gra-g2-a9.fr.eu (213.251.128.28) 10.383 ms 10.367 ms 10.342 ms
6 gra-3a-a9.fr.eu (37.187.231.88) 9.001 ms gra-3b-a9.fr.eu (37.187.231.92) 9.386 ms 9.331 ms
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
I tried to do an small experiment:
// SERVER:
user@server:~$ sudo ufw status verbose | grep 42367
42367 ALLOW IN Anywhere
42367 (v6) ALLOW IN Anywhere (v6)
user@server:~$ netcat -ul 42367
^C
user@server:~$ netcat -l 42367
b
it does work
user@server:~$ netcat -ul 42367
c
it does work
^C
user@server:~$
// CLIENT:
user@client:~$ netcat -u 123.123.12.123 42367
a
it doesnt work
^C
user@client:~$ netcat 123.123.12.123 42367
b
it does work
^C
user@client:~$ netcat -u 123.123.12.123 42367
c
it does work
^C
user@client:~$
I'm almost sure that I have skipped something really important (and stupid, duh) during configuration and that's why it doesn't work. Question is: what is the thing I skipped and now it doesn't let UDP to work properly?
If any other information is needed - comment.
Thank you for any answer in advance! Sorry for long post; no potatoe.
UDP
is a stateless unreliable protocol, that means that nobody guarantees that all datagrams will reach their destination. There's neither a concept like a "established" connection when talking about UDP; so if it's not a 100% drop issue, I'd check if it could be related to the own protocol's natureiptables
match counters for debugging this. Runiptables
with the-v
option both before and after attemptingnetcat
, see which rules have increased in match count.