Forward UDP packets to VM on another IP

d9ngle

11/28/23, 7:28 PM

I'm connected to internet via a router and want to route UDP packets on a port, let's say 3000 to a VM inside KVM.

┌──────────────────┐    
│ router           │
│ 54.0.0.1 (public)│
│ 192.168.0.1      │
└────────┬─────────┘
         │
         │
  ┌──────▼──────┐
  │ pc          │
  │ 192.168.0.2 │
  │ 10.0.0.1    │
  │ ┌────────┐  │
  │ │vm      │  │
  │ │10.0.0.2│  │
  │ └────────┘  │
  │             │
  └─────────────┘

I have opened port 3000 on my router and forwarded all udp packets to 192.168.0.2:3000, and from there I've added:

sudo iptables -t nat -A PREROUTING -d 192.168.0.2 -p UDP --dport 3000 -j DNAT --to 10.0.0.2:3000

However this doesn't work as expected, meaning if I run:

# on VM
$ nc -l -u -p 3000

# from another machine
$ nc 54.0.0.1 3000 -u -v

I'm not able to make a connection and exchange data. Closest thing I've got to this working is having output stage:

sudo iptables -t nat -A OUTPUT -d 192.168.0.2 -p UDP --dport 3000 -j DNAT --to 10.0.0.2:3000

and then if I nc 192.168.0.2 3000 -u -v on local machine, I'll get connected to VM. I can already see through tcpdump that packets from outside network are indeed delivered to 192.168.0.2:3000 so I don't know why this doesn't work fully. (from internet all the way to vm)

287

1 + 0

iptables

port-forwarding

dnat

Score:0

Server

A. Trevelyan

12/2/23, 6:35 PM

Did you enable IPv4 forwarding on the PC? If its stopping there that's probably why.

Also you shouldn't need an OUTPUT chain rule in iptables; the PREROUTING is sufficient.

I replicated your steps basically like this:

┌──────────────────┐    
│ Another Machine  │
│ 192.168.146.129  │
└────────┬─────────┘
         │
         │
  ┌──────▼──────────┐
  │ pc              │
  │ 192.168.146.132 │
  │ 10.0.3.1        │
  │ ┌──────────┐    │
  │ │vm        │    │
  │ │10.0.3.100│    │
  │ └──────────┘    │
  │                 │
  └─────────────────┘

On VM:

# Start listener
nc -l -u -p 3000

On PC:

# Add Port Forwarding rule
sudo iptables -t nat -A PREROUTING -d 192.168.146.132 -p udp --dport 3000 -j DNAT --to-destination 10.0.3.100:3000

# Enable IPv4 forwarding
sudo sysctl -w net.ipv4.ip_forward=1

# Monitor traffic
sudo tcpdump -nni any udp port 3000

On other machine:

# Connect
192.168.146.132 3000 -u -v

Worked just fine with that for me:

nc 192.168.146.132 3000 -u -v
192.168.146.132: inverse host lookup failed: Unknown host
(UNKNOWN) [192.168.146.132] 3000 (?) open
^C

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Forward UDP packets to VM on another IP

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.