Iptables – Need iptables port forwarding for BIDIRECTIONAL UDP

iptablesport-forwardingudp

IN SHORT: I need a port redirection on a connection-oriented protocol, just like it would be for TCP – but I need that it work for UDP. I have a custom connection-oriented protocol using UDP for transport.

In particular:

The machine to be configured is listening on port 5005 UDP.
UDP packets are expected to come from, say, 10.1.2.10.
This machine should forward this packet to, say, 10.1.2.20 port 5010.
… and the other way around!

For 4, more precisely: when a packet comes from 10.1.2.10, it is assigned a random port, say, 52000. Then, THIS machine receives packet on UDP port 5005 and forwards it to 10.1.2.20:5010 having also some randomly-selected source port, say, 52001. Now, when there's coming a packet from 10.1.2.20 port 5010 to THIS machine port 52001, it should redirect it also to 10.1.2.10 port 52000.

Moreover, if there's coming a packet from another port on 10.1.2.10, the port assignment and according rule for reverse-direction packet redirection should apply as well. It may be set 10s timeout for any traffic, after which the backward track rule is removed.

If this cannot be done using iptables, I'm fine with it – I'll fall back to a userspace solution. But with iptables it will simplify the deployment.

Best Answer

Your proxy server is thus doing a double NAT, masquerading (by hiding the other real peer) both ways.

It has to be configured as a router on its (single) interface or nothing will be forwarded. Let's say the interface name is eth0, and its IP is 10.1.2.50:
```
echo 1 > /proc/sys/net/ipv4/conf/eth0/forwarding
```
Now because of the double NAT, the transformations in PREROUTING and/or POSTROUTING prevent matching the flow just using again the same filter. So in PREROUTING a CONNMARK is used to mark the flow which can then be reused immediately in PREROUTING (and avoiding duplicating the specific test for easier management) and later in POSTROUTING. Note -p udp is still needed because we ask SNAT and/or DNAT to alter UDP ports. After that conntrack will handle all future exchange, as long as it doesn't time out (usually 30s for first reply, then 3mn)
```
iptables -t nat -A PREROUTING -s 10.1.2.10 -p udp --dport 5005 -j CONNMARK --set-mark 0x1
iptables -t nat -A PREROUTING -p udp -m connmark --mark 0x1 -j DNAT --to-destination 10.1.2.20:5010
iptables -t nat -A POSTROUTING -m connmark --mark 0x1 -j SNAT --to-source 10.1.2.50
```
If it's really a requirement that you also alter the source port, instead of having conntrack do it only when needed, change the 3rd rule into:
```
iptables -t nat -A POSTROUTING -p udp -m connmark --mark 0x1 -j SNAT --random-fully --to-source 10.1.2.50:32768-60999
```
(usual range taken from /proc/sys/net/ipv4/ip_local_port_range, and --random-fully is needed else nothing is done because the original port is already in range).
You could also change SNAT to MASQUERADE (and not have to state server IP) but only --random is available.

UPDATE: while the above rules work as intended, usually the connmark match and the CONNMARK target are intended for interaction with mark and MARK for a more complex usage as described in this blog. They are not needed for the simple usage here. Simply replace them all with resp. mark and MARK. Here netfilter's connection tracking already takes care of the flow once the first packet is handled (creating a conntrack entry in NEW state) without having to ask it to mark it in the conntrack entry. A mark is just put in the (first) packet (the nat table sees only packets in NEW state):

iptables -t nat -A PREROUTING -s 10.1.2.10 -p udp --dport 5005 -j MARK --set-mark 0x1
iptables -t nat -A PREROUTING -p udp -m mark --mark 0x1 -j DNAT --to-destination 10.1.2.20:5010
iptables -t nat -A POSTROUTING -m mark --mark 0x1 -j SNAT --to-source 10.1.2.50

Example captures, including errors (service not running etc.):

00:28:36.476453 IP 10.1.2.10.56955 > 10.1.2.50.5005: UDP, length 5
00:28:36.476487 IP 10.1.2.50.35172 > 10.1.2.20.5010: UDP, length 5
00:28:36.476516 IP 10.1.2.20 > 10.1.2.50: ICMP 10.1.2.20 udp port 5010 unreachable, length 41
00:28:36.476522 IP 10.1.2.50 > 10.1.2.10: ICMP 10.1.2.50 udp port 5005 unreachable, length 41

00:32:28.597050 IP 10.1.2.10.35443 > 10.1.2.50.5005: UDP, length 5
00:32:28.597084 IP 10.1.2.50.36842 > 10.1.2.20.5010: UDP, length 5
00:32:32.503709 IP 10.1.2.20.5010 > 10.1.2.50.36842: UDP, length 7
00:32:32.503745 IP 10.1.2.50.5005 > 10.1.2.10.35443: UDP, length 7
00:32:41.704371 IP 10.1.2.20.5010 > 10.1.2.50.36842: UDP, length 4
00:32:41.704404 IP 10.1.2.50.5005 > 10.1.2.10.35443: UDP, length 4
00:32:41.704427 IP 10.1.2.10 > 10.1.2.50: ICMP 10.1.2.10 udp port 35443 unreachable, length 40
00:32:41.704433 IP 10.1.2.50 > 10.1.2.20: ICMP 10.1.2.50 udp port 36842 unreachable, length 40

Please note that, you can replace all of this with this simple socat line (and you don't get any 30s/3mn timeout but you lose ICMP handling):

socat UDP4-LISTEN:5005,range=10.1.2.10/32,fork UDP4:10.1.2.20:5010

Related Solutions

iptables – Using ‘-p udp –state ESTABLISHED’ in iptables

So, iptables basically remembers the port number that was used for the outgoing packet (what else could it remember for a UDP packet?),

I am pretty sure for UDP the source and destination ports and addresses are stored.

If you want to inspect the state tables install conntrack and/or netstat-nat.

(What would happen, if I accidentally tried to start a service on that port within the timeframe - would that attempt be denied/blocked?)

Since you are using OUTPUT and INPUT your are talking about local services. The port is already used I don't believe your system will allow you to start up another service since something is already listening on that port. I guess you could stop the first service and start another if you really wanted to though, in that case the response would probably get to your service. What the service does with the packet depends on what the contents of the packet is, and what service it is.

Linux – IPTABLES for block sync flood over udp

If your firewall isn't already configured this way, default deny is the safer way to operate. This means that anything that isn't explicitly allowed is denied. For iptables, this means:

 iptables -P INPUT DROP

You can do this for the OUTPUT and FORWARD chains as well but OUTPUT in particular requires a little more discipline in managing what your server is allowed to connect to.

After disallowing everything, you allow what you want. Does your game listen for UDP traffic on ports 27015 and 27018? If so, add rules that allow that traffic in. Does the client always use a small range of source ports or even a single source port? If so, restrict the allowed packets to just those source ports. The first example you gave where the source port is 80 would be automatically blocked in that case. The other one might be depending on what source ports your client uses.

How are you determining that the firewall rules are not working? tcpdump attaches outside the firewall and hence will see packets that are destined to be dropped (or in the outbound direction, that have already passed the firewall). You can use a -j LOG rule to monitor specific parts of your chains or use in-application logging.

I'm not quite sure what you mean by "overload the udp ports". Does your application need to use a separate UDP port for each connecting IP address? Is there some shared resource that is acting as a bottleneck? Is all this UDP traffic just filling the networking hardware's buffers, causing the kind of latency associated with bufferbloat? If this last one is true, blocking using iptables won't even solve your problem.

Best Answer

Related Solutions

iptables – Using ‘-p udp –state ESTABLISHED’ in iptables

Linux – IPTABLES for block sync flood over udp

Related Topic