Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


NAT traversal failed issue
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

NAT traversal failed issue

Hi guys
I am trying to build a node for a blockchain and everytime i build it i get NAT traversal failed.
i have tried adding the ports which the node uses (9650,9651 and 21001) to the firewall accepted port but i still get this issue.
am using Start-2-M from online.net
i would appreciate any help on this

Comments

  • tetechtetech Member

    @enitan092 said:
    Hi guys
    I am trying to build a node for a blockchain and everytime i build it i get NAT traversal failed.
    i have tried adding the ports which the node uses (9650,9651 and 21001) to the firewall accepted port but i still get this issue.
    am using Start-2-M from online.net
    i would appreciate any help on this

    How is your firewall set up? Show iptables-save or equivalent. You'd need to have a NAT table and configure masquerade, not just accept on the INPUT chain.

  • enitan092enitan092 Member
    edited July 2020

    `root@sd-104447:~# iptables-save

    Generated by iptables-save v1.6.1 on Sun Jul 19 12:42:09 2020

    *nat
    :PREROUTING ACCEPT [19496:1082247]
    :INPUT ACCEPT [54:3816]
    :OUTPUT ACCEPT [82:5864]
    :POSTROUTING ACCEPT [82:5864]
    -A POSTROUTING -o eth1 -j MASQUERADE
    COMMIT

    Completed on Sun Jul 19 12:42:09 2020

    Generated by iptables-save v1.6.1 on Sun Jul 19 12:42:09 2020

    *filter
    :INPUT DROP [12425:746500]
    :FORWARD DROP [0:0]
    :OUTPUT ACCEPT [0:0]
    :ufw-after-forward - [0:0]
    :ufw-after-input - [0:0]
    :ufw-after-logging-forward - [0:0]
    :ufw-after-logging-input - [0:0]
    :ufw-after-logging-output - [0:0]
    :ufw-after-output - [0:0]
    :ufw-before-forward - [0:0]
    :ufw-before-input - [0:0]
    :ufw-before-logging-forward - [0:0]
    :ufw-before-logging-input - [0:0]
    :ufw-before-logging-output - [0:0]
    :ufw-before-output - [0:0]
    :ufw-logging-allow - [0:0]
    :ufw-logging-deny - [0:0]
    :ufw-not-local - [0:0]
    :ufw-reject-forward - [0:0]
    :ufw-reject-input - [0:0]
    :ufw-reject-output - [0:0]
    :ufw-skip-to-policy-forward - [0:0]
    :ufw-skip-to-policy-input - [0:0]
    :ufw-skip-to-policy-output - [0:0]
    :ufw-track-forward - [0:0]
    :ufw-track-input - [0:0]
    :ufw-track-output - [0:0]
    :ufw-user-forward - [0:0]
    :ufw-user-input - [0:0]
    :ufw-user-limit - [0:0]
    :ufw-user-limit-accept - [0:0]
    :ufw-user-logging-forward - [0:0]
    :ufw-user-logging-input - [0:0]
    :ufw-user-logging-output - [0:0]
    :ufw-user-output - [0:0]
    -A INPUT -j ufw-before-logging-input
    -A INPUT -j ufw-before-input
    -A INPUT -j ufw-after-input
    -A INPUT -j ufw-after-logging-input
    -A INPUT -j ufw-reject-input
    -A INPUT -j ufw-track-input
    -A FORWARD -j ufw-before-logging-forward
    -A FORWARD -j ufw-before-forward
    -A FORWARD -j ufw-after-forward
    -A FORWARD -j ufw-after-logging-forward
    -A FORWARD -j ufw-reject-forward
    -A FORWARD -j ufw-track-forward
    -A OUTPUT -j ufw-before-logging-output
    -A OUTPUT -j ufw-before-output
    -A OUTPUT -j ufw-after-output
    -A OUTPUT -j ufw-after-logging-output
    -A OUTPUT -j ufw-reject-output
    -A OUTPUT -j ufw-track-output
    -A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
    -A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
    -A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
    -A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
    -A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
    -A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
    -A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
    -A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
    -A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
    -A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
    -A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
    -A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
    -A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
    -A ufw-before-forward -j ufw-user-forward
    -A ufw-before-input -i lo -j ACCEPT
    -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
    -A ufw-before-input -m conntrack --ctstate INVALID -j DROP
    -A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
    -A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
    -A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
    -A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
    -A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
    -A ufw-before-input -j ufw-not-local
    -A ufw-before-input -d x.x.x.x/32 -p udp -m udp --dport 5353 -j ACCEPT
    -A ufw-before-input -d x.x.x.x/32 -p udp -m udp --dport 1900 -j ACCEPT
    -A ufw-before-input -j ufw-user-input
    -A ufw-before-output -o lo -j ACCEPT
    -A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A ufw-before-output -j ufw-user-output
    -A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
    -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
    -A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
    -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
    -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
    -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
    -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
    -A ufw-not-local -j DROP
    -A ufw-skip-to-policy-forward -j DROP
    -A ufw-skip-to-policy-input -j DROP
    -A ufw-skip-to-policy-output -j ACCEPT
    -A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
    -A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
    -A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT
    -A ufw-user-input -p tcp -m tcp --dport 80 -j ACCEPT
    -A ufw-user-input -p tcp -m tcp --dport 443 -j ACCEPT
    -A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
    -A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
    -A ufw-user-limit-accept -j ACCEPT
    COMMIT

    Completed on Sun Jul 19 12:42:09 2020`

  • @tetech said:

    @enitan092 said:
    Hi guys
    I am trying to build a node for a blockchain and everytime i build it i get NAT traversal failed.
    i have tried adding the ports which the node uses (9650,9651 and 21001) to the firewall accepted port but i still get this issue.
    am using Start-2-M from online.net
    i would appreciate any help on this

    How is your firewall set up? Show iptables-save or equivalent. You'd need to have a NAT table and configure masquerade, not just accept on the INPUT chain.

    The above is what i got

  • tetechtetech Member

    @enitan092 said:

    @tetech said:

    @enitan092 said:
    Hi guys
    I am trying to build a node for a blockchain and everytime i build it i get NAT traversal failed.
    i have tried adding the ports which the node uses (9650,9651 and 21001) to the firewall accepted port but i still get this issue.
    am using Start-2-M from online.net
    i would appreciate any help on this

    How is your firewall set up? Show iptables-save or equivalent. You'd need to have a NAT table and configure masquerade, not just accept on the INPUT chain.

    The above is what i got

    Original post said you're using ports 9650, 9651 and 21001, but with a quick search I don't see them handled at all in the firewall. So basically it seems they are blocked at firewall.

    (You might want to redact the public IP addresses in previous post)

  • @tetech said:

    @enitan092 said:

    @tetech said:

    @enitan092 said:
    Hi guys
    I am trying to build a node for a blockchain and everytime i build it i get NAT traversal failed.
    i have tried adding the ports which the node uses (9650,9651 and 21001) to the firewall accepted port but i still get this issue.
    am using Start-2-M from online.net
    i would appreciate any help on this

    How is your firewall set up? Show iptables-save or equivalent. You'd need to have a NAT table and configure masquerade, not just accept on the INPUT chain.

    The above is what i got

    Original post said you're using ports 9650, 9651 and 21001, but with a quick search I don't see them handled at all in the firewall. So basically it seems they are blocked at firewall.

    (You might want to redact the public IP addresses in previous post)

    I had a new reinstalled.
    Here is it after adding the required port again.

    `root@sd-104447:~# iptables-save

    Generated by iptables-save v1.6.1 on Sun Jul 19 13:14:05 2020

    *nat
    :PREROUTING ACCEPT [24787:1359567]
    :INPUT ACCEPT [94:6140]
    :OUTPUT ACCEPT [98:7080]
    :POSTROUTING ACCEPT [98:7080]
    -A POSTROUTING -o eth1 -j MASQUERADE
    COMMIT

    Completed on Sun Jul 19 13:14:05 2020

    Generated by iptables-save v1.6.1 on Sun Jul 19 13:14:05 2020

    *filter
    :INPUT DROP [4:164]
    :FORWARD DROP [0:0]
    :OUTPUT ACCEPT [0:0]
    :ufw-after-forward - [0:0]
    :ufw-after-input - [0:0]
    :ufw-after-logging-forward - [0:0]
    :ufw-after-logging-input - [0:0]
    :ufw-after-logging-output - [0:0]
    :ufw-after-output - [0:0]
    :ufw-before-forward - [0:0]
    :ufw-before-input - [0:0]
    :ufw-before-logging-forward - [0:0]
    :ufw-before-logging-input - [0:0]
    :ufw-before-logging-output - [0:0]
    :ufw-before-output - [0:0]
    :ufw-logging-allow - [0:0]
    :ufw-logging-deny - [0:0]
    :ufw-not-local - [0:0]
    :ufw-reject-forward - [0:0]
    :ufw-reject-input - [0:0]
    :ufw-reject-output - [0:0]
    :ufw-skip-to-policy-forward - [0:0]
    :ufw-skip-to-policy-input - [0:0]
    :ufw-skip-to-policy-output - [0:0]
    :ufw-track-forward - [0:0]
    :ufw-track-input - [0:0]
    :ufw-track-output - [0:0]
    :ufw-user-forward - [0:0]
    :ufw-user-input - [0:0]
    :ufw-user-limit - [0:0]
    :ufw-user-limit-accept - [0:0]
    :ufw-user-logging-forward - [0:0]
    :ufw-user-logging-input - [0:0]
    :ufw-user-logging-output - [0:0]
    :ufw-user-output - [0:0]
    -A INPUT -j ufw-before-logging-input
    -A INPUT -j ufw-before-input
    -A INPUT -j ufw-after-input
    -A INPUT -j ufw-after-logging-input
    -A INPUT -j ufw-reject-input
    -A INPUT -j ufw-track-input
    -A FORWARD -j ufw-before-logging-forward
    -A FORWARD -j ufw-before-forward
    -A FORWARD -j ufw-after-forward
    -A FORWARD -j ufw-after-logging-forward
    -A FORWARD -j ufw-reject-forward
    -A FORWARD -j ufw-track-forward
    -A OUTPUT -j ufw-before-logging-output
    -A OUTPUT -j ufw-before-output
    -A OUTPUT -j ufw-after-output
    -A OUTPUT -j ufw-after-logging-output
    -A OUTPUT -j ufw-reject-output
    -A OUTPUT -j ufw-track-output
    -A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
    -A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
    -A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
    -A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
    -A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
    -A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
    -A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
    -A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
    -A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
    -A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
    -A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
    -A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
    -A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
    -A ufw-before-forward -j ufw-user-forward
    -A ufw-before-input -i lo -j ACCEPT
    -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
    -A ufw-before-input -m conntrack --ctstate INVALID -j DROP
    -A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
    -A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
    -A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
    -A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
    -A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
    -A ufw-before-input -j ufw-not-local
    -A ufw-before-input -d x.x.x.x/32 -p udp -m udp --dport 5353 -j ACCEPT
    -A ufw-before-input -d x.x.x.x/32 -p udp -m udp --dport 1900 -j ACCEPT
    -A ufw-before-input -j ufw-user-input
    -A ufw-before-output -o lo -j ACCEPT
    -A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A ufw-before-output -j ufw-user-output
    -A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
    -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
    -A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
    -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
    -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
    -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
    -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
    -A ufw-not-local -j DROP
    -A ufw-skip-to-policy-forward -j DROP
    -A ufw-skip-to-policy-input -j DROP
    -A ufw-skip-to-policy-output -j ACCEPT
    -A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
    -A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
    -A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT
    -A ufw-user-input -p tcp -m tcp --dport 80 -j ACCEPT
    -A ufw-user-input -p tcp -m tcp --dport 443 -j ACCEPT
    -A ufw-user-input -p tcp -m tcp --dport 9650 -j ACCEPT
    -A ufw-user-input -p tcp -m tcp --dport 9651 -j ACCEPT
    -A ufw-user-input -p tcp -m tcp --dport 21001 -j ACCEPT
    -A ufw-user-input -p udp -m udp --dport 21001 -j ACCEPT
    -A ufw-user-input -p udp -m udp --dport 9650 -j ACCEPT
    -A ufw-user-input -p udp -m udp --dport 9651 -j ACCEPT
    -A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
    -A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
    -A ufw-user-limit-accept -j ACCEPT
    COMMIT`

  • tetechtetech Member
    edited July 2020

    I have no idea about your particular application, but if it is using NAT then ports should be added to the FORWARD chain and also to the PREROUTING chain of the nat table. The ports have instead been added to the INPUT chain, which means they are being accepted to the host, not forwarded to NAT'ed application.

  • thanks for the help

Sign In or Register to comment.