thanks in advance for taking a look at this... I'm confident that the solution is simple - it's just I don't know what it is.
Running nc -l -u 9090 AND nc -uv 82.165.109.4 9090 command on the same server, establish a netcat type "connection" and messages are received as expected.
There is a docker application running that also receives the packet so it looks like the internal environment is setup alright.
echo -p "hello" >/dev/udp/82.165.109.4/9090
is received by both tcpdump and the application.
I'm monitoring receipt of the packets with:
tcpdump -i any udp -AXn port 9090
- If I send a UDP packet from outside the box, it doesn't reach
tcpdump
- I cannot ping the server externally, but can internally.
- The port appears to be open and listening.
- the ssh, http and https ports are all functioning as expected.
netstat -ltu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:5984 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:9070 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN
tcp 0 0 localhost:domain 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:https 0.0.0.0:* LISTEN
tcp6 0 0 [::]:5984 [::]:* LISTEN
tcp6 0 0 [::]:9070 [::]:* LISTEN
tcp6 0 0 [::]:http [::]:* LISTEN
tcp6 0 0 [::]:ssh [::]:* LISTEN
tcp6 0 0 [::]:https [::]:* LISTEN
udp 0 0 localhost:domain 0.0.0.0:*
udp 0 0 0.0.0.0:bootpc 0.0.0.0:*
udp 0 0 0.0.0.0:9090 0.0.0.0:*
udp6 0 0 [::]:9090 [::]:*
Everything I have read points to iptables and the firewall, so I disabled ufw
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (2 references)
target prot opt source destination
ACCEPT udp -- anywhere 172.18.0.3 udp dpt:9090
ACCEPT tcp -- anywhere 172.18.0.6 tcp dpt:9080
ACCEPT tcp -- anywhere 172.18.0.2 tcp dpt:https
ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:5984
ACCEPT tcp -- anywhere 172.18.0.2 tcp dpt:http
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
The NAT settings are as follows:
iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 235 packets, 28704 bytes)
pkts bytes target prot opt in out source destination
163 9840 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 205 packets, 26904 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 72 packets, 5351 bytes)
pkts bytes target prot opt in out source destination
2 121 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 108 packets, 7416 bytes)
pkts bytes target prot opt in out source destination
4 240 MASQUERADE all -- * !br-a371a521a463 172.18.0.0/16 0.0.0.0/0
0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
0 0 MASQUERADE udp -- * * 172.18.0.3 172.18.0.3 udp dpt:9090
0 0 MASQUERADE tcp -- * * 172.18.0.6 172.18.0.6 tcp dpt:9080
0 0 MASQUERADE tcp -- * * 172.18.0.2 172.18.0.2 tcp dpt:443
0 0 MASQUERADE tcp -- * * 172.18.0.5 172.18.0.5 tcp dpt:5984
0 0 MASQUERADE tcp -- * * 172.18.0.2 172.18.0.2 tcp dpt:80
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
2 120 RETURN all -- br-a371a521a463 * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
1 37 DNAT udp -- !br-a371a521a463 * 0.0.0.0/0 0.0.0.0/0 udp dpt:9090 to:172.18.0.3:9090
0 0 DNAT tcp -- !br-a371a521a463 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9070 to:172.18.0.6:9080
4 220 DNAT tcp -- !br-a371a521a463 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:172.18.0.2:443
0 0 DNAT tcp -- !br-a371a521a463 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5984 to:172.18.0.5:5984
5 248 DNAT tcp -- !br-a371a521a463 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:172.18.0.2:80
If UFW was enabled the status is:
ufw status verbose
Status: active
Logging: on (high)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
443/tcp ALLOW IN Anywhere
993 ALLOW IN Anywhere
995 ALLOW IN Anywhere
9090/udp ALLOW IN Anywhere
520/udp ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
443/tcp (v6) ALLOW IN Anywhere (v6)
993 (v6) ALLOW IN Anywhere (v6)
995 (v6) ALLOW IN Anywhere (v6)
9090/udp (v6) ALLOW IN Anywhere (v6)
520/udp (v6) ALLOW IN Anywhere (v6)
9090/udp ALLOW FWD Anywhere
9090/udp (v6) ALLOW FWD Anywhere (v6)
I've tried a lot - but some of the more important things are;
- flushing the iptables had no effect
- monitoring the UDP send via tcpdump from the external box (which was logged)
- monitoring all ports and verbose logging (no change)
- switching on ip_forwarding
sysctl -p
net.ipv4.ip_forward = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1
Other notes:
- Using a 'cloud' server, therefore a virtual machine.
- I cannot find any ufw logs in
/etc/ufw/
