TCP NAT forwarding works, UDP doesnt

Question

I am using an Ubuntu Computer as a Router. It has a network connected locally on eth0 and is also connected to the internet with another interface and inside of an OpenVPN.

I set up NAT port forwarding, so I can reach a few of the devices in the attached subnet.

sudo iptables -A FORWARD -o eth0 -i tun0 -j ACCEPT
sudo iptables -A FORWARD -o eth0 -i tun0 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

sudo iptables -t nat -A PREROUTING -p udp -i tun0 --dport 14550 -j DNAT --to-destination 192.168.1.50:60000
sudo iptables -t nat -A PREROUTING -p tcp -i tun0 --dport 5000 -j DNAT --to-destination 192.168.1.2:5000

From the subnet I can reach the internet fine and from any other computer I can reach the TCP server that is being forwarded to port 5000.

The Ubuntu routers eth0 interface has the IP 192.168.1.1 and the UDP server the IP 192.168.1.50.

I can't figure out how to get UDP forwarding to work. tcpdump shows me that the UDP server inside the subnet is active and it can and does communicate to the ubuntu computer that acts as the router.

Just when I try to reach it from the outside, I get nothing.

Thanks

Answer 1

From the information you provided it isn't directly clear if your FORWARD policy allows forwarding or not. If not - you don't have the rules to forward DNATted traffic from tun0 to eth0.

Answer 2

There seems to be an additional "." at the end of your DNAT for UDP rule in the IP address part. I believe you might have received an error when trying to add the rule and maybe not noticing it. Maybe you should provide iptables dump of the nat table.

Answer 3

Sorry, we figured it out. The connected UDP Server had an issue when talking to different subnets. It just wouldn't send any response when the subnet didn't match the directly connected one. Configuration worked otherwise.