udp client sending ICMP "port unreachable" when receiveing messages from the server
Your client-side firewall is actively blocking inbound UDP.
Comments
-
nonchip almost 4 years
I have a udp client using luasocket, basically doing this (with a few layers of abstraction, but this is what's going on there):
s=socket.udp() s:setsockname("*",0) s:setpeername(socket.dns.toip("example.com"),64299) s:settimeout(0) s:send(...) s:settimeout(10) msg,err=s:receive() s:settimeout(0) print(msg,err)
while seeing everything's fine in the server's debug output (ssh to the remote host), i get a "timeout" error in the client.
when inspecting everything with client-side wireshark, I see the packet my client sent, and a response packet from the server (correct port and everything), AND an ICMP "port unreachable" packet sent from my client host to the server in response to it's (correct) response.
what's going on there? I tried everything, including resetting my iptables to "accept everything", but my client still sends the "port unreachable".
the relevant packets are:
From To Len Description 192.168.2.100 95.143.172.171 UDP 61 Source port: 45025 Destination port: 64299 000e8f11e7000025229835a908004500002f4008400040112b6fc0a802645f8facabafe1fb2b001b28d794d2000ec8360100aa81a477616e74a3756964 95.143.172.171 192.168.2.100 UDP 60 Source port: 64299 Destination port: 45025 0025229835a9000e8f11e70008004500002b000040003911727b5f8facabc0a80264fb2bafe100172e8d94d2000e0ea10100a681a3756964ff000000 192.168.2.100 95.143.172.171 ICMP 85 Destination unreachable (Port unreachable) 000e8f11e7000025229835a9080045c00047061d00004001a492c0a802645f8facab0303cc6c000000004500002b000040003911727b5f8facabc0a80264fb2bafe100172e8d94d2000e0ea10100a681a3756964ff
Firewall, in case it's important (which I don't think, because iptables doesn't increment any INPUT packet counters while this happens):
$ sudo iptables -S -P INPUT DROP -P FORWARD DROP -P OUTPUT ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -i eth0 -p udp -m udp --sport 64299 -j ACCEPT -A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i eth0 -p tcp -m tcp --dport 10001:30000 -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -o lo -j ACCEPT
-
nonchip almost 10 yearswell, no, i'm afraid it's not. at least if I understand it correctly. because:
iptables -t filter -A INPUT -i eth0 -p UDP --sport 64299 -j ACCEPT
-
nonchip almost 10 yearsi see that it is the only possible explanation, but I don't see how that could be, because I explicitly accept the source port. also I accept all established/related states, which should implicitly cover this case too (iptables remembers IP/Port pairs for stateless "connections" like UDP).
-
nonchip almost 10 yearseven stranger: inspecting
iptables -vL ; ./client.lua ; iptables -vL
i get 0 packets for these rules before AND after the client ran; while thereject-with icmp-port-unreachable
counter didn't change either -
user207421 almost 10 yearsThe question is now about iptables and is therefore off topic. Try superuser.
-
nonchip almost 10 yearsare you kidding me? the question is not about iptables, because if iptables would be blocking my packet, i would see the counters being incremented, which I don't, as I said there: stackoverflow.com/questions/24720022/…
-
user207421 almost 10 yearsIt isn't about your code. Your code is executing perfectly. The read timeout and ICMP message both indicate that an external factor is in play. Ergo off topic.
-
nonchip almost 10 yearsassuming there's no strange bug in luasocket closing my udp socket between sending and trying to receive, I guess you're right then, closing this question and moving it to SU.