udp client sending ICMP “port unreachable” when receiveing messages from the server

4
votes

Moved: https://superuser.com/questions/782549/udp-client-sending-icmp-port-unreachable-when-receiveing-messages-from-the-ser

I have a udp client using luasocket, basically doing this (with a few layers of abstraction, but this is what's going on there):

s=socket.udp()
s:setsockname("*",0)
s:setpeername(socket.dns.toip("example.com"),64299)
s:settimeout(0)
s:send(...)
s:settimeout(10)
msg,err=s:receive()
s:settimeout(0)
print(msg,err)

while seeing everything's fine in the server's debug output (ssh to the remote host), i get a "timeout" error in the client.

when inspecting everything with client-side wireshark, I see the packet my client sent, and a response packet from the server (correct port and everything), AND an ICMP "port unreachable" packet sent from my client host to the server in response to it's (correct) response.

what's going on there? I tried everything, including resetting my iptables to "accept everything", but my client still sends the "port unreachable".

the relevant packets are:

From            To                  Len Description
192.168.2.100   95.143.172.171  UDP 61  Source port: 45025  Destination port: 64299
  000e8f11e7000025229835a908004500002f4008400040112b6fc0a802645f8facabafe1fb2b001b28d794d2000ec8360100aa81a477616e74a3756964
95.143.172.171  192.168.2.100   UDP 60  Source port: 64299  Destination port: 45025
  0025229835a9000e8f11e70008004500002b000040003911727b5f8facabc0a80264fb2bafe100172e8d94d2000e0ea10100a681a3756964ff000000
192.168.2.100   95.143.172.171  ICMP 85 Destination unreachable (Port unreachable)
  000e8f11e7000025229835a9080045c00047061d00004001a492c0a802645f8facab0303cc6c000000004500002b000040003911727b5f8facabc0a80264fb2bafe100172e8d94d2000e0ea10100a681a3756964ff

Firewall, in case it's important (which I don't think, because iptables doesn't increment any INPUT packet counters while this happens):

$ sudo iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 64299 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i eth0 -p tcp -m tcp --dport 10001:30000 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -j ACCEPT
1
socketsnetworkingudpicmpluasocket
Some servers block ICMP (for security reasons) which might explain it.Nir Alfasi
@alfasin Explain it how?user207421
@EJP not sure if I understand you question, you can set iptables -P DROP to drop ICMP requestsNir Alfasi
@alfasin the problem is there's no reason why that port should be unreachable, because i just sent the request packet from it.nonchip
@alfasin Come off it. My question is clear. How would that explain why he gets an ICMP UNREACH?user207421

1 Answers

1
votes

Your client-side firewall is actively blocking inbound UDP.