I have iptables rules that allows people to connect to Windows VPN.
iptables -L -n -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723 to:10.1.1.10:1723
DNAT 47 -- 0.0.0.0/0 0.0.0.0/0 to:10.1.1.10
DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 to:10.1.1.10:1701
DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:500 to:10.1.1.10:500
DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4500 to:10.1.1.10:4500
DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:50 to:10.1.1.10:50
DNAT esp -- 0.0.0.0/0 0.0.0.0/0 esp spi:0 to:10.1.1.10
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:10.1.1.10:443
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723 ctstate NEW,ESTABLISHED
ACCEPT 47 -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 ctstate NEW,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:500 ctstate NEW,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4500 ctstate NEW,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:50 ctstate NEW,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW,ESTABLISHED
ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:22 ctstate ESTABLISHED
Chain fail2ban-proftpd (0 references)
target prot opt source destination
Chain fail2ban-ssh (0 references)
target prot opt source destination
Everything works good for couple of hours, and then no new connections are accepted, but existing ones work. I need to reboot server to get everything working fully again. Iptables are setup on Debian server. Can somebody tell me where to start debugging and how to resolve problem?
dmesg | tail -30
[ 8.354954] [drm] Cursor bypass.
[ 8.354955] [drm] Cursor bypass 2.
[ 8.354955] [drm] 8bit emulation.
[ 8.354956] [drm] Alpha cursor.
[ 8.354956] [drm] Extended Fifo.
[ 8.354957] [drm] Multimon.
[ 8.354957] [drm] Pitchlock.
[ 8.354958] [drm] Irq mask.
[ 8.354958] [drm] Display Topology.
[ 8.354959] [drm] GMR.
[ 8.354960] [drm] Maximum display memory size is 4096 kiB
[ 8.354960] [drm] VRAM at 0xd4000000 size is 4096 kiB
[ 8.354961] [drm] MMIO at 0xd8000000 size is 256 kiB
[ 8.354962] [drm] global init.
[ 8.354997] [TTM] Zone kernel: Available graphics memory: 512216 kiB
[ 8.354998] [TTM] Initializing pool allocator
[ 8.355001] [TTM] Initializing DMA pool allocator
[ 8.355448] [drm] Not using screen objects, missing cap SCREEN_OBJECT_2
[ 8.355451] [drm] Supports vblank timestamp caching Rev 2 (21.10.2013).
[ 8.355451] [drm] No driver support for vblank timestamp query.
[ 8.356133] [drm] width 640
[ 8.356146] [drm] height 480
[ 8.356158] [drm] bpp 32
[ 8.363107] [drm] Fifo max 0x00040000 min 0x00001000 cap 0x0000007f
[ 8.365721] fbcon: svgadrmfb (fb0) is primary device
[ 8.367679] Console: switching to colour frame buffer device 100x37
[ 8.368706] [drm] Initialized vmwgfx 2.6.0 20140325 for 0000:00:0f.0 on minor 0
[ 8.434442] Adding 265212k swap on /dev/sda5. Priority:-1 extents:1 across:265212k FS
[ 8.782457] alg: No test for crc32 (crc32-pclmul)
[ 8.841978] EXT4-fs (sda1): re-mounted. Opts: errors=remount-ro
[ 8.849744] systemd-journald[142]: Received request to flush runtime journal from PID 1
[ 9.638136] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready
[ 9.638733] e1000: eth1 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None
[ 9.641100] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
[ 9.670778] e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None
[ 10.590896] RPC: Registered named UNIX socket transport module.
[ 10.590898] RPC: Registered udp transport module.
[ 10.590899] RPC: Registered tcp transport module.
[ 10.590900] RPC: Registered tcp NFSv4.1 backchannel transport module.
[ 10.634982] FS-Cache: Loaded
[ 10.687623] FS-Cache: Netfs 'nfs' registered for caching
[ 10.782744] Installing knfsd (copyright (C) 1996 okir@monad.swb.de).
[ 11.907738] ip_tables: (C) 2000-2006 Netfilter Core Team
[ 12.085792] nf_conntrack version 0.5.0 (8003 buckets, 32012 max)
[ 13.005021] gre: GRE over IPv4 demultiplexor driver
[ 13.016066] ip_gre: GRE over IPv4 tunneling driver
[ 13.103095] nf_conntrack: automatic helper assignment is deprecated and it will be removed soon. Use the iptables CT target to attach helpers instead.
ifconfig
eth0 Link encap:Ethernet HWaddr 00:50:56:a8:00:28
inet addr:xx.xxx.xx.xx Bcast:xx.xxx.xx.xx Mask:255.255.255.0
inet6 addr: fe80::250:56ff:fea8:28/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:286756 errors:0 dropped:13 overruns:0 frame:0
TX packets:24235 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:19840413 (18.9 MiB) TX bytes:6076344 (5.7 MiB)
eth1 Link encap:Ethernet HWaddr 00:0c:29:46:a5:32
inet addr:10.1.1.3 Bcast:10.1.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe46:a532/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:295914 errors:0 dropped:38 overruns:0 frame:0
TX packets:22497 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:23003025 (21.9 MiB) TX bytes:3966411 (3.7 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Nothing except boot messages in /var/log/syslog and /var/log/messages
User contributions licensed under CC BY-SA 3.0