Have you set the server IP ? it might be binding to the local IP instead of globally or to the public IP - so set it explicitly to either 0.0.0.0 or to the static public IP

Also check outbound traffic is allowed

Ursprünglich geschrieben von Nebsun:

Have you set the server IP ? it might be binding to the local IP instead of globally or to the public IP - so set it explicitly to either 0.0.0.0 or to the static public IP

Also check outbound traffic is allowed

I already add outbound traffic to 27015:27030, then I tried to set the ip manually to 0.0.0.0 it doesn't work either, at last i change it with my vps' public IP, i got some errors with NET_OpenSocket.



https://imgur.com/oAOJJmB

When the server is up, try "sudo ss -tulpn | grep 27020" and look what IP your server bound to. If that is the correct IP, look what the firewall does (either "sudo iptables -L INPUT" or "sudo nft list ruleset").

Ursprünglich geschrieben von mep:

I already add outbound traffic to 27015:27030

You need outbound traffic allowed TO any port - since the client could use any port. (usually 27005 is set as client port, but they can sometimes ignore that and use anythin)

Ursprünglich geschrieben von Metal_Warrior:

When the server is up, try "sudo ss -tulpn | grep 27020" and look what IP your server bound to. If that is the correct IP, look what the firewall does (either "sudo iptables -L INPUT" or "sudo nft list ruleset").

This is what I got, it bounds to 27015, and udp is currently under UNCONN state, by the way, I change the port back to 27015
https://imgur.com/a/0aEKCLF

Ursprünglich geschrieben von Nebsun:

Ursprünglich geschrieben von mep:

I already add outbound traffic to 27015:27030

You need outbound traffic allowed TO any port - since the client could use any port. (usually 27005 is set as client port, but they can sometimes ignore that and use anythin)

I'm sure I tried it too, but I dont know maybe I'm doing it the wrong way, you must check it.
https://imgur.com/a/dqJYdPP

To list the open port i'm using "nmap -p 27000-27100 [pub ip]", as you can see 27015/tcp is already open (27017 is for Remote MongoDB - it works normally),

For some reason, I had the idea to connect via browser's url to the port, i'm only checking if it's really working, and so yeah its work (it said banning the ip for rcon hacking attempts, i assume it working then) but inside the game still cannot connected. I'm dead confused lmao.

Logs : https://pastebin.com/jBxhA5jQ

OK now, so you have one port open, but L4D needs a couple. AFAIK TCP 27015 is for Steam to do its stuff, and then you need a port for the actual game, which by default should be TCP 27036. Then it seems like a couple of ports for UDP inbound need to be open too, namely UDP 27015 (Steam again), 27031-27036 (the game).
I don't host a L4D2 server myself, but can recommend not to change anything at first startup and just take a look at what "sudo ss -tulpn | grep srcds" shows, because I just blindly copied the ports from the first google result. When knowing what is needed, just open those ports for inbound traffic in the firewall. Outbound is not necessary, as the answer is an already known package, and UFW should let that pass anyway (it's a bit trickier when doing the stuff manually with the nft/iptables, but then you don't seem to be the firewall pro anyways ;) ).

Once all ports are properly reachable, your server should show up in the server browser and be ready to play with.

Ursprünglich geschrieben von mep:

https://imgur.com/a/0aEKCLF

https://imgur.com/a/dqJYdPP

UFW looks mostly ok, inbound to the game port on 27015 udp and outbound.
For the rcon hacking ban, yes - looks like it connected successfully (make sure to unban your IP after that, or it will no longer respond at all to any request from your IP), that's normal.

Only thing I can think of is if there is anything blocking udp port 27015, or if for some reason only tcp is forwarded - else, some people have an issue using 0.0.0.0 so maybe try the actual public IP (though, since the rcon banned you, it should work fine). some people have needed to set sv_lan 0

These are some of the startup commands I use (not complete):


https://developer.valvesoftware.com/wiki/Source_Dedicated_Server
Only inbound on port 27015 udp is required for gameplay traffic (so if outbound is allowed, the only port on inbound is 27015 udp to get the game working).

27015 udp inbound for game traffic
27015 tcp inbound (or same as the game port) is for rcon
27005 udp outbound for game traffic to clients (though may change if the client uses a different one) Edit: This is a client port so not related to the host - it will be the port the client sends data to the server (udp: client 27005 >>> host 27015 by default)
26900 udp outbound for Steam servers I think


https://developer.valvesoftware.com/wiki/List_of_L4D2_Cvars
you should be able to use the actual rcon while in game through the developer console - set:
rcon_password RCON_PASSWORD
rcon_address SERVER_IP:SERVER_PORT

then issue "rcon status"
If you get a response, the server is reachable through tcp correctly

Sadly I got to correct [N]ebsun: 27015 TCP/UDP is most likely not the only port necessary. I just took a look at my CS:S server, there the firewall rules are as follows:
# CS:S inbound
udp dport { 27005, 27015, 27020 } counter accept
tcp dport 27015 counter accept
(careful, this is nftables syntax - I get paid for that stuff)

So there's at least two other ports listening, and listening means outgoing traffic is only happening if something came in there first. Outgoing only ports are opened in the ephemeral range and that one starts somewhere at 49k. Also if you haven't configured your outgoing table to drop everything that is not explicitely allowed, you don't need extra rules for that.

Edit: Just because it might not be clear to everyone; just because you don't see active connections to UDP ports does not mean they're not used. In fact they don't show up in ss/netstat because there's no such thing as an active connection on UDP - the protocol is fire and forget, unlike TCP, which has handshake, fixed connections and teardowns afterwards.
I'm not exactly sure why I opened the other two ports too, it might have something to do with VAC and map download, but I could be wrong. Have to monitor that a bit, but I'm quite sure I didn't do it because I'm a nice guy (quite the contrary - BOFH all the way)

Edit 2: Googled a bit: 27020 is for sourceTV, the other for the browser query, that is the official list of servers in the client, according to this:
https://forums.alliedmods.net/showthread.php?t=296705

Thanks for helping me guys, for some reason I think maybe its the vps' provider, not firewall or configuration error by me, i'm not that dumb, im just confused lmao. The main problem is UDP is not connected, while TCP is all good, this happened even when I disable the firewall (my vps' provider has option to set all ports open in their web panel, so disabling firewall has meant open all ports), but they need to manually contacted to allow ports (only for UDP), i know its kinda weird but okay the problem is solved.

Ursprünglich geschrieben von Metal_Warrior:

Sadly I got to correct [N]ebsun: 27015 TCP/UDP is most likely not the only port necessary. I just took a look at my CS:S server, there the firewall rules are as follows:
# CS:S inbound
udp dport { 27005, 27015, 27020 } counter accept
tcp dport 27015 counter accept

Edit 2: Googled a bit: 27020 is for sourceTV, the other for the browser query, that is the official list of servers in the client, according to this:
https://forums.alliedmods.net/showthread.php?t=296705

The only inbound port required to get the game fully functional is udp 27015 for game traffic.
As per below..

UDP 27015 for gameplay traffic
Also used for map downloads, unless sv_downloadurl is set.

Browser query occurs to the same port the server is running on - udp 27015 by default. It is just a different software protocol query, but uses the same server port.
https://developer.valvesoftware.com/wiki/Server_queries

Queries should be sent in UDP packets to the listen port of the server.

TCP 27015 for RCON
https://developer.valvesoftware.com/wiki/Source_RCON_Protocol

By default, SRCDS listens for RCON connections on TCP port 27015. If the server's port number is changed using the -port option, the RCON port will change as well

27005 is the client port, unrelated to the server - it's the port that clients should be sending data from to the server - ie: udp: client 27005 out >>>> server 27015 in (though, not all clients obey this for whatever reason - eg: multiple clients on the same network will use a different port).
You don't need to open this inbound for the server to work, since it's a client side port.

UDP 27020 (default) for sourcetv, not really required unless you actually intend to setup and use sourcetv - but I would leave it disabled unless you have a specific reason to use it.

UDP 26900 for Steam (can be changed using -sport, used for VAC) It's outgoing, so no need to allow inbound traffic.

Just a note about the server queries - since they use the same port and protocol (udp) as the game traffic, the port needs to be open.... but this opens up the possibility of DoS / DDoS reflection / amplification attacks. I frequently detect many attempts of this - sometimes hundreds or more queries per second.
As a minimum, you should use the environment variables to enable a few non-default features which can help mitigate such vulnerabilities detailed here:
https://steamcommunity.com/discussions/forum/14/2974028351344359625/

A sample to use in your server run script - most important is the first one, which enables challenges to be required before a query is answered.
Aside from this, you can use iptables to rate limit / restrict certain queries.

Also, unless you intend to use rcon frequently from undetermined IP / location, it is a good idea to not allow TCP traffic in from anywhere. If it is necessary, either whitelist a static IP that you will use, or setup firewall rules to rate limit / ban malicious TCP traffic.

You can monitor all traffic to check everything is working using tcpdump and/or pktstat
Useful are:

tcpdump udp and port 27015 -Q in -XX -nftv
pktstat -ntTPcB -w 2 -k 3600 "outbound and src port 27015"
pktstat -ntTPcB -w 2 -k 3600 "inbound and dst port 27015"
tcpdump udp and port 27015 -Q out -A -nftv

Still having a similar issue myself...

Have all set up, server is up and running. TCPDump shows traffic coming and going on port 27015, but client fails after 10 retries. Aside from that, on my client machine I am running netcat and hitting port 27015, and I can see the traffic over udp to the system, with the correct return addresses. Listening on 0.0.0.0 - binding to lan IP is no different.

Have attempted to enable NAT even though I know better in this case as my routing table has literally the 2 entries on this subnet only. The traffic is definitely getting to the "server" but the server doesn't so much as budge on it.