iptables redirect stop working after time

1

I have iptables rules that allows people to connect to Windows VPN.

iptables -L -n -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:1723 to:10.1.1.10:1723
DNAT       47   --  0.0.0.0/0            0.0.0.0/0            to:10.1.1.10
DNAT       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:1701 to:10.1.1.10:1701
DNAT       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:500 to:10.1.1.10:500
DNAT       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:4500 to:10.1.1.10:4500
DNAT       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:50 to:10.1.1.10:50
DNAT       esp  --  0.0.0.0/0            0.0.0.0/0            esp spi:0 to:10.1.1.10
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:10.1.1.10:443

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0           
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:1723 ctstate NEW,ESTABLISHED
ACCEPT     47   --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:1701 ctstate NEW,ESTABLISHED
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:500 ctstate NEW,ESTABLISHED
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:4500 ctstate NEW,ESTABLISHED
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:50 ctstate NEW,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443 ctstate NEW,ESTABLISHED
ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0           
LOG        all  --  0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spt:22 ctstate ESTABLISHED

Chain fail2ban-proftpd (0 references)
target     prot opt source               destination         

Chain fail2ban-ssh (0 references)
target     prot opt source               destination

Everything works good for couple of hours, and then no new connections are accepted, but existing ones work. I need to reboot server to get everything working fully again. Iptables are setup on Debian server. Can somebody tell me where to start debugging and how to resolve problem?

dmesg | tail -30
[    8.354954] [drm]   Cursor bypass.
[    8.354955] [drm]   Cursor bypass 2.
[    8.354955] [drm]   8bit emulation.
[    8.354956] [drm]   Alpha cursor.
[    8.354956] [drm]   Extended Fifo.
[    8.354957] [drm]   Multimon.
[    8.354957] [drm]   Pitchlock.
[    8.354958] [drm]   Irq mask.
[    8.354958] [drm]   Display Topology.
[    8.354959] [drm]   GMR.
[    8.354960] [drm] Maximum display memory size is 4096 kiB
[    8.354960] [drm] VRAM at 0xd4000000 size is 4096 kiB
[    8.354961] [drm] MMIO at 0xd8000000 size is 256 kiB
[    8.354962] [drm] global init.
[    8.354997] [TTM] Zone  kernel: Available graphics memory: 512216 kiB
[    8.354998] [TTM] Initializing pool allocator
[    8.355001] [TTM] Initializing DMA pool allocator
[    8.355448] [drm] Not using screen objects, missing cap SCREEN_OBJECT_2
[    8.355451] [drm] Supports vblank timestamp caching Rev 2 (21.10.2013).
[    8.355451] [drm] No driver support for vblank timestamp query.
[    8.356133] [drm] width 640
[    8.356146] [drm] height 480
[    8.356158] [drm] bpp 32
[    8.363107] [drm] Fifo max 0x00040000 min 0x00001000 cap 0x0000007f
[    8.365721] fbcon: svgadrmfb (fb0) is primary device
[    8.367679] Console: switching to colour frame buffer device 100x37
[    8.368706] [drm] Initialized vmwgfx 2.6.0 20140325 for 0000:00:0f.0 on minor 0
[    8.434442] Adding 265212k swap on /dev/sda5.  Priority:-1 extents:1 across:265212k FS
[    8.782457] alg: No test for crc32 (crc32-pclmul)
[    8.841978] EXT4-fs (sda1): re-mounted. Opts: errors=remount-ro
[    8.849744] systemd-journald[142]: Received request to flush runtime journal from PID 1
[    9.638136] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready
[    9.638733] e1000: eth1 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None
[    9.641100] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
[    9.670778] e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None
[   10.590896] RPC: Registered named UNIX socket transport module.
[   10.590898] RPC: Registered udp transport module.
[   10.590899] RPC: Registered tcp transport module.
[   10.590900] RPC: Registered tcp NFSv4.1 backchannel transport module.
[   10.634982] FS-Cache: Loaded
[   10.687623] FS-Cache: Netfs 'nfs' registered for caching
[   10.782744] Installing knfsd (copyright (C) 1996 okir@monad.swb.de).
[   11.907738] ip_tables: (C) 2000-2006 Netfilter Core Team
[   12.085792] nf_conntrack version 0.5.0 (8003 buckets, 32012 max)
[   13.005021] gre: GRE over IPv4 demultiplexor driver
[   13.016066] ip_gre: GRE over IPv4 tunneling driver
[   13.103095] nf_conntrack: automatic helper assignment is deprecated and it will be removed soon. Use the iptables CT target to attach helpers instead.
ifconfig
eth0      Link encap:Ethernet  HWaddr 00:50:56:a8:00:28  
          inet addr:xx.xxx.xx.xx  Bcast:xx.xxx.xx.xx  Mask:255.255.255.0
          inet6 addr: fe80::250:56ff:fea8:28/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:286756 errors:0 dropped:13 overruns:0 frame:0
          TX packets:24235 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:19840413 (18.9 MiB)  TX bytes:6076344 (5.7 MiB)

eth1      Link encap:Ethernet  HWaddr 00:0c:29:46:a5:32  
          inet addr:10.1.1.3  Bcast:10.1.1.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe46:a532/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:295914 errors:0 dropped:38 overruns:0 frame:0
          TX packets:22497 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:23003025 (21.9 MiB)  TX bytes:3966411 (3.7 MiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

Nothing except boot messages in /var/log/syslog and /var/log/messages

debian
iptables
asked on Server Fault Oct 14, 2019 by Krzysztof Janiszewski • edited Oct 14, 2019 by Krzysztof Janiszewski

0 Answers

Nobody has answered this question yet.


User contributions licensed under CC BY-SA 3.0