On Wed, Feb 10, 2021 at 12:50:41PM +0000, Ian Bowden wrote:
I'm planning to install software on my VPS, which
requires incoming UDP on
Note that quite a few network providers block weird UDP traffic
because they think it might be used for denial of service attacks.
It is quite possible for some entity in the middle to drop your
traffic and as you are not a direct customer of it, it can be hard
My iptables is set to allow incoming udp on that port,
but it remains closed
to the outside world.
There's no such thing as an open UDP port; UDP is a one way
communications protocol with no inherent signalling so (unlike TCP)
there is no response expected to an incoming UDP datagram and no way
for the sender to tell it actually arrived at the other end.
If there is nothing listening at the destination host then the
destination host MIGHT send back an ICMP Destination Unreachable
message, but equally it might just not do anything at all. Also any
intermediary firewall may decide to silently drop the datagram.
It is expected that any application using UDP should do its own
checking inside its own protocol, like expecting some sort of
response or acknowledgement back.
I've set up a simple listener on port 10000
How? This may not have been done correctly. Here's how to do it
$ nc -ul 10000
At the other (client) side:
$ nc -u <your bitfolk IP> 10000
type some stuff here, see it appear other side
then tested using a web service for port checking, and
using telnet from two other locations.
As Alarig pointed out, telnet is a TCP application so you probably
weren't testing against your UDP listener. It seems likely that the
web site you used worked similarly. What was it?
If you find that your UDP datagrams don't get through, I don't think
you can diagnose where with a normal traceroute, You can do it with
OpenBSD netcat (available in Debian/Ubuntu as netcat-openbsd) by
setting max TTL higher and higher and seeing which hosts respond
with an ICMP Time Exceeded message:
In one window of client look for ICMP Time Exceeded messages:
$ sudo tcpdump -vpni eth0 'dst host <your IP> and icmp and icmp[icmptype] =
In other window, send a datagram with a max TTL of 1 (I'll use one
of my IPs and a port of 53 because I know there's something
nc -uv -M 1 126.96.36.199 53
Watch tcpdump see a message:
13:46:36.901339 IP (tos 0xc0, ttl 255, id 63728, offset 0, flags [none], proto ICMP (1),
188.8.131.52 > 184.108.40.206: ICMP time exceeded in-transit, length 36
First hop was 220.127.116.11.
Set max TTL 2, repeat.
nc -uv -M 2 18.104.22.168 53
13:49:03.186759 IP (tos 0xc0, ttl 254, id 203, offset 0, flags [none], proto ICMP (1),
22.214.171.124 > 126.96.36.199: ICMP time exceeded in-transit, length 36
Next hop was 188.8.131.52
And so on. If some hop is dropping UDP datagrams you will stop
getting ICMP type 11 messages beyond that point.
-- No-nonsense VPS hosting