Linux – Udp port binding in VMware Linux

bindingslinuxudpvirtual-machines

In my application, there're two physical computers, both in Windows environment. Computer 2 (with IP "192.168.2.2") has a VMware Linux virtual machine (with IP "192.168.80.129") installed on it. What I want to do is to send UDP socket from the virtual machine to computer 1 (with IP "192.168.2.1").

As required by my application, when the udp sent through virtual machine to computer 2, the ports should be specified.

Now my situation is that, when I create and configure udp sockets in Linux, I specify two ports LOCAL_PORT(9000) and REMOTE_PORT(9001).

When I open WireShark to monitor, in the Linux VM, the source port is LOCAL_PORT(9001), however, the destination port is "iua(9900)". Source IP is "192.168.80.129" and destination IP is "192.168.2.1", which is correct.

When I open Wireshark in Windows on either computer 1 or computer 2, Source IP shown is "192.168.2.2", while destination IP is "192.168.2.1". This seems understandable, because the sender is a virtual machine, thus Udp is actually sent by the host computer(computer 2). The destination port is correct as 9001, however, the source port seems to be arbitrary.

Does anyone know what I can do in the VM so that the source port can be the number (9900) as assigned instead of an arbitrary number? Thanks!

int sock1; struct sockaddr_in slAddr, myAddr; memset(&slAddr, 0, sizeof(slAddr)); memset(&myAddr, 0, sizeof(myAddr)); slAddr.sin_family = AF_INET; slAddr.sin_port = htons(RM_PORT);//RM_PORT=9900 slAddr.sin_addr.s_addr = inet_addr(SL_IP);//SL_IP="192.168.2.1" myAddr.sin_family = AF_INET; myAddr.sin_port = htons(LC_PORT);//LC_PORT=9901 myAddr.sin_addr.s_addr = inet_addr(MY_IP);//MY_IP="192.168.80.129" sock1 = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); bind(sock1, (struct sockaddr *)&myAddr, sizeof(myAddr)); sendto(sock1, packeddata, 8, 0, (struct sockaddr*)&slAddr, sizeof(slAddr));

Best Answer

Your code seems OK (except for sometimes writing port 9901 and sometimes 9001).

Your problem is that your VMWare host is NATting all the outbound packets.

You need NAT to rewrite the source IP of your VM to correspond to the 192.168.2.* network. To do this for many source IPs (here you have two, your VM and your physical machine), NAT also needs to be able to rewrite the source port. It uses the source port to remember where the packet came from. You do not need that because you only had one application, but NAT does not know that.

(Actually, according to classic Cisco terminology, you are doing PAT and non-overloading NAT would solve your problem by requiring a 192.168.2.* IP dedicated to your VM, but I don't think anyone uses that any more . . .)

I do not think that VMWare can do NAT while keeping the source port. You therefore need to turn NAT off (making a layer 2 bridge between your physical LAN and your virtual machine's network adapter). That means that you will have to give your virtual computer an IP in the same 192.168.2.* as the physical servers (or else you will have to do routing, which would be a lot more complicated.)

What you have done (as per your comment) is to write a proxy, that binds to port 9901 on the host computer. It is your proxy that is translating the IP from 192.168.80.129 to 192.168.2.2 and back, and it is keeping the source port because you wrote it that way.

If that solution is good for you, in your case, then that's good!

Usually on the Internet programs and protocols are written not to care about the source port; the source port is just a number > 1023 that is to be used as destination port for the reply packet. The protocols that did otherwise (DNS and NTP come to mind) have evolved to permit non-fixed source ports.

Related Solutions

Linux – How to run a server on port 80 as a normal user on Linux

Short answer: you can't. Ports below 1024 can be opened only by root. As per comment - well, you can, using CAP_NET_BIND_SERVICE, but that approach, applied to java bin will make any java program to be run with this setting, which is undesirable, if not a security risk.

The long answer: you can redirect connections on port 80 to some other port you can open as normal user.

Run as root:

# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

As loopback devices (like localhost) do not use the prerouting rules, if you need to use localhost, etc., add this rule as well (thanks @Francesco):

# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8080

NOTE: The above solution is not well suited for multi-user systems, as any user can open port 8080 (or any other high port you decide to use), thus intercepting the traffic. (Credits to CesarB).

EDIT: as per comment question - to delete the above rule:

# iptables -t nat --line-numbers -n -L

This will output something like:

Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8080 redir ports 8088
2    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 redir ports 8080

The rule you are interested in is nr. 2, so to delete it:

# iptables -t nat -D PREROUTING 2

Linux Kernel – Multicast UDP Packets Not Passing Through

In our instance, our problem was solved by sysctl parameters, one different from Maciej.

Please note that I do not speak for the OP (buecking), I came on this post due to the problem being related by the basic detail (no multicast traffic in userland).

We have an application that reads data sent to four multicast addresses, and a unique port per multicast address, from an appliance that is (usually) connected directly to an interface on the receiving server.

We were attempting to deploy this software on a customer site when it mysteriously failed with no known reason. Attempts at debugging this software resulted in inspecting every system call, ultimately they all told us the same thing:

Our software asks for data, and the OS never provides any.

The multicast packet counter incremented, tcpdump showed the traffic reaching the box/specific interface, yet we couldn't do anything with it. SELinux was disabled, iptables was running but had no rules in any of the tables.

Stumped, we were.

In randomly poking around, we started thinking about the kernel parameters that sysctl handles, but none of the documented features was either particularly relevant, or if they had to do with multicast traffic, they were enabled. Oh, and ifconfig did list "MULTICAST" in the feature line (up, broadcast, running, multicast). Out of curiosity we looked at /etc/sysctl.conf. 'lo and behold, this customer's base image had a couple of extra lines added to it at the bottom.

In our case, the customer had set net.ipv4.all.rp_filter = 1. rp_filter is the Route Path filter, which (as I understand it) rejects all traffic that could not have possibly reached this box. Network subnet hopping, the thought being that the source IP is being spoofed.

Well, this server was on a 192.168.1/24 subnet and the appliance's source IP address for the multicast traffic was somewhere in the 10.* network. Thus, the filter was preventing the server from doing anything meaningful with the traffic.

A couple of tweaks approved by the customer; net.ipv4.eth0.rp_filter = 1 and net.ipv4.eth1.rp_filter = 0 and we were running happily.

Best Answer

Related Solutions

Linux – How to run a server on port 80 as a normal user on Linux

Linux Kernel – Multicast UDP Packets Not Passing Through

Related Topic