iptables udp port forwarded but ICMP UDP Port unreachable

iptables port-forwarding udp

I wish to host a game server (Zandronum Doom) on port 10666 UDP, but no one can connect to it. I have troubleshot the problem and I think it's a problem with my routing. My physical network architecture is like this:

[WAN] - [Router] - [Switch] - [Pi]
                            - [Desktop]
                            - [Other]

My routing is as follows

[WAN] - [(pub. ip) Router (192.168.1.1)] - [Pi (192.168.1.5)] - [Desktop (192.168.1.11)]
                                                    - [Other (tv, printer, laptop, phone, etc)]

My router is set up to forward anything I want to the raspberry pi and only there. The raspberry pi is set up as an IDS/IPS and also acts as DNS server and DHCP server for my whole network. I want all my traffic to go through there. The rasperry pi is set as the default gateway via dhcp, the rasperry pi itself has the router as default gateway.

The router is set to port forward tcp and udp traffic on port 10666 to the pi. This is the traffic that gives me trouble. The rasperry pi has the following relevant rules in the iptable:

$> sudo iptables --list -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  fritz.box            pi.lan               tcp dpt:10666 to:192.168.1.11
DNAT       udp  --  fritz.box            pi.lan               udp dpt:10666 to:192.168.1.11

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             anywhere

$> sudo iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
QUEUE      all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

I'm not sure why some of those names are resolved while others are not.

I can not connect to the server via public ip. TCP Dump reveals the following:

$> sudo tcpdump -i eth0 | grep 10666
[...]
21:34:57.456103 IP paul-pc.lan.10667 > <pub-ip>.10666: UDP, length 50
21:34:57.457635 IP pi.lan.10667 > <pub-ip>.10666: UDP, length 50
21:34:57.458130 IP <pub-ip>.10667 > pi.lan.10666: UDP, length 50
21:34:57.458279 IP pi.lan > <pub-ip>: ICMP pi.lan udp port 10666 unreachable, length 86
21:34:57.458451 IP <pub-ip> > pi.lan: ICMP <pub-ip> udp port 10666 unreachable, length 86
21:34:57.458711 IP <pub-ip> > paul-pc.lan: ICMP <pub-ip> udp port 10666 unreachable, length 86
[repeating]
[...]

To test things I changed the network settings for the server to bypass the pi and the router to port forward directly to the desktop. Then it worked perfectly.


The option -s 192.168.1.1 is wrong. The source is passed through from the router, not repackaged (the router is not the source). Use a destination filter instead with -d 192.168.1.5

Related

IBRS suffix of CPU models in QEMU
Ubuntu 20.04 packages with an "{u}" in their name
How can I install nspr 4.25 on CentOS 7?
I've lost my router's ip address [closed]
Intermittent KVM performance issues causing performance glitches
SMTP relay server static public IP always being blocked
How to tag launch template _itself_ in AWS with JSON and `create-launch-template` AWS CLI
Assign Domain to IP Address which has a path [duplicate]
NGINX 1.13.8 Rewrite url not works
Nginx Ingress-Controller Load Balancing
Fedora 33/32 - Install PHP 7.3
Running MySQL 8 in Docker with Windows Host (WSL) the volumen for data directory is unusable