-1

I'm connected to internet via a router and want to route UDP packets on a port, let's say 3000 to a VM inside KVM.

┌──────────────────┐    
│ router           │
│ 54.0.0.1 (public)│
│ 192.168.0.1      │
└────────┬─────────┘
         │
         │
  ┌──────▼──────┐
  │ pc          │
  │ 192.168.0.2 │
  │ 10.0.0.1    │
  │ ┌────────┐  │
  │ │vm      │  │
  │ │10.0.0.2│  │
  │ └────────┘  │
  │             │
  └─────────────┘

I have opened port 3000 on my router and forwarded all udp packets to 192.168.0.2:3000, and from there I've added:

sudo iptables -t nat -A PREROUTING -d 192.168.0.2 -p UDP --dport 3000 -j DNAT --to 10.0.0.2:3000

However this doesn't work as expected, meaning if I run:

# on VM
$ nc -l -u -p 3000

# from another machine
$ nc 54.0.0.1 3000 -u -v

I'm not able to make a connection and exchange data. Closest thing I've got to this working is having output stage:

sudo iptables -t nat -A OUTPUT -d 192.168.0.2 -p UDP --dport 3000 -j DNAT --to 10.0.0.2:3000

and then if I nc 192.168.0.2 3000 -u -v on local machine, I'll get connected to VM. I can already see through tcpdump that packets from outside network are indeed delivered to 192.168.0.2:3000 so I don't know why this doesn't work fully. (from internet all the way to vm)

d9ngle
  • 59
  • 6

1 Answers1

0

Did you enable IPv4 forwarding on the PC? If its stopping there that's probably why.

Also you shouldn't need an OUTPUT chain rule in iptables; the PREROUTING is sufficient.

I replicated your steps basically like this:

┌──────────────────┐    
│ Another Machine  │
│ 192.168.146.129  │
└────────┬─────────┘
         │
         │
  ┌──────▼──────────┐
  │ pc              │
  │ 192.168.146.132 │
  │ 10.0.3.1        │
  │ ┌──────────┐    │
  │ │vm        │    │
  │ │10.0.3.100│    │
  │ └──────────┘    │
  │                 │
  └─────────────────┘

On VM:

# Start listener
nc -l -u -p 3000

On PC:

# Add Port Forwarding rule
sudo iptables -t nat -A PREROUTING -d 192.168.146.132 -p udp --dport 3000 -j DNAT --to-destination 10.0.3.100:3000

# Enable IPv4 forwarding
sudo sysctl -w net.ipv4.ip_forward=1

# Monitor traffic
sudo tcpdump -nni any udp port 3000

On other machine:

# Connect
192.168.146.132 3000 -u -v

Worked just fine with that for me:

nc 192.168.146.132 3000 -u -v
192.168.146.132: inverse host lookup failed: Unknown host
(UNKNOWN) [192.168.146.132] 3000 (?) open
^C
A. Trevelyan
  • 478
  • 1
  • 10