iptables udp port forwarded but ICMP UDP Port unreachable
I wish to host a game server (Zandronum Doom) on port 10666 UDP, but no one can connect to it. I have troubleshot the problem and I think it's a problem with my routing. My physical network architecture is like this:
[WAN] - [Router] - [Switch] - [Pi]
- [Desktop]
- [Other]
My routing is as follows
[WAN] - [(pub. ip) Router (192.168.1.1)] - [Pi (192.168.1.5)] - [Desktop (192.168.1.11)]
- [Other (tv, printer, laptop, phone, etc)]
My router is set up to forward anything I want to the raspberry pi and only there. The raspberry pi is set up as an IDS/IPS and also acts as DNS server and DHCP server for my whole network. I want all my traffic to go through there. The rasperry pi is set as the default gateway via dhcp, the rasperry pi itself has the router as default gateway.
The router is set to port forward tcp and udp traffic on port 10666 to the pi. This is the traffic that gives me trouble. The rasperry pi has the following relevant rules in the iptable:
$> sudo iptables --list -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- fritz.box pi.lan tcp dpt:10666 to:192.168.1.11
DNAT udp -- fritz.box pi.lan udp dpt:10666 to:192.168.1.11
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
$> sudo iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
QUEUE all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
I'm not sure why some of those names are resolved while others are not.
I can not connect to the server via public ip. TCP Dump reveals the following:
$> sudo tcpdump -i eth0 | grep 10666
[...]
21:34:57.456103 IP paul-pc.lan.10667 > <pub-ip>.10666: UDP, length 50
21:34:57.457635 IP pi.lan.10667 > <pub-ip>.10666: UDP, length 50
21:34:57.458130 IP <pub-ip>.10667 > pi.lan.10666: UDP, length 50
21:34:57.458279 IP pi.lan > <pub-ip>: ICMP pi.lan udp port 10666 unreachable, length 86
21:34:57.458451 IP <pub-ip> > pi.lan: ICMP <pub-ip> udp port 10666 unreachable, length 86
21:34:57.458711 IP <pub-ip> > paul-pc.lan: ICMP <pub-ip> udp port 10666 unreachable, length 86
[repeating]
[...]
To test things I changed the network settings for the server to bypass the pi and the router to port forward directly to the desktop. Then it worked perfectly.
The option -s 192.168.1.1
is wrong. The source is passed through from the router, not repackaged (the router is not the source). Use a destination filter instead with -d 192.168.1.5