Iptables Forward accept [0:0], before working after power failure - it is not sending data

[sharafat]

I am getting data from a remote RTU (192.168.100.2) to my server through L2TP on peer ip (168.18.13.3) over public ip defined on eth0. I configured eth1 with 168.18.13.1 And this is connected to external managed switch with port 168.18.13.2 and here forwarded to different IP 172.18.8.1 Data is not forwarded every time after power cut/reboot. sometimes it becomes OK after RTU reboot but this time it is not working .
My ipv4_forward status is 1.

iptable

# Generated by iptables-save v1.4.21 on Fri Dec 6 21:53:15 2019
*nat
:PREROUTING ACCEPT [384542:25819083]
:INPUT ACCEPT [726:82530]
:OUTPUT ACCEPT [8421:508489]
:POSTROUTING ACCEPT [8421:508489]
-A PREROUTING -s 172.18.8.1/32 -d 168.18.13.3/32 -i eth1 -p tcp -m tcp --dport 2404 -j DNAT --to-destination 192.168.100.2:2404
-A PREROUTING -s 192.168.100.2/32 -i PPP+ -p tcp -m tcp --dport 2404 -j DNAT --to-destination 172.18.8.1-172.18.8.2:2404
-A OUTPUT -s 172.18.8.1/32 -d 168.18.13.3/32 -o PPP+ -p tcp -m tcp --dport 2404 -j DNAT --to-destination 192.168.100.2:2404
-A OUTPUT -s 192.168.100.2/32 -o eth1 -p tcp -m tcp --dport 2404 -j DNAT --to-destination 172.18.8.1-172.18.8.2:2404
-A PREROUTING -s 172.18.8.1/32 -d 168.18.13.12/32 -i eth1 -p tcp -m tcp --dport 2404 -j DNAT --to-destination 192.168.100.38:2404
-A PREROUTING -s 192.168.100.38/32 -i PPP+ -p tcp -m tcp --dport 2404 -j DNAT --to-destination 172.18.8.1-172.18.8.2:2404
-A OUTPUT -s 172.18.8.1/32 -d 168.18.13.12/32 -o PPP+ -p tcp -m tcp --dport 2404 -j DNAT --to-destination 192.168.100.38:2404
-A OUTPUT -s 192.168.100.38/32 -o eth1 -p tcp -m tcp --dport 2404 -j DNAT --to-destination 172.18.8.1-172.18.8.2:2404
COMMIT
# Completed on Fri Dec 6 21:53:15 2019
# Generated by iptables-save v1.4.21 on Fri Dec 6 21:53:15 2019
*mangle
:PREROUTING ACCEPT [411507:27753159]
:INPUT ACCEPT [27691:2016606]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [25315:2148519]
:POSTROUTING ACCEPT [25315:2148519]
COMMIT
# Completed on Fri Dec 6 21:53:15 2019
# Generated by iptables-save v1.4.21 on Fri Dec 6 21:53:15 2019
*filter
:INPUT ACCEPT [11945:847202]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [25315:2148519]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Fri Dec 6 21:53:15 2019

[BrianOlie]

I am getting data from a remote RTU (192.168.100.2) to my server through L2TP on peer ip (168.18.13.3) over public ip defined on eth0. I configured eth1 with 168.18.13.1 And this is connected to external managed switch with port 168.18.13.2 and here forwarded to different IP 172.18.8.1 Data is not forwarded every time after power cut/reboot. sometimes it becomes OK after RTU reboot but this time it is not working .
My ipv4_forward status is 1.

iptable

# Generated by iptables-save v1.4.21 on Fri Dec 6 21:53:15 2019
*nat
:PREROUTING ACCEPT [384542:25819083]
:INPUT ACCEPT [726:82530]
:OUTPUT ACCEPT [8421:508489]
:POSTROUTING ACCEPT [8421:508489]
-A PREROUTING -s 172.18.8.1/32 -d 168.18.13.3/32 -i eth1 -p tcp -m tcp --dport 2404 -j DNAT --to-destination 192.168.100.2:2404
-A PREROUTING -s 192.168.100.2/32 -i PPP+ -p tcp -m tcp --dport 2404 -j DNAT --to-destination 172.18.8.1-172.18.8.2:2404
-A OUTPUT -s 172.18.8.1/32 -d 168.18.13.3/32 -o PPP+ -p tcp -m tcp --dport 2404 -j DNAT --to-destination 192.168.100.2:2404
-A OUTPUT -s 192.168.100.2/32 -o eth1 -p tcp -m tcp --dport 2404 -j DNAT --to-destination 172.18.8.1-172.18.8.2:2404
-A PREROUTING -s 172.18.8.1/32 -d 168.18.13.12/32 -i eth1 -p tcp -m tcp --dport 2404 -j DNAT --to-destination 192.168.100.38:2404
-A PREROUTING -s 192.168.100.38/32 -i PPP+ -p tcp -m tcp --dport 2404 -j DNAT --to-destination 172.18.8.1-172.18.8.2:2404
-A OUTPUT -s 172.18.8.1/32 -d 168.18.13.12/32 -o PPP+ -p tcp -m tcp --dport 2404 -j DNAT --to-destination 192.168.100.38:2404
-A OUTPUT -s 192.168.100.38/32 -o eth1 -p tcp -m tcp --dport 2404 -j DNAT --to-destination 172.18.8.1-172.18.8.2:2404
COMMIT
# Completed on Fri Dec 6 21:53:15 2019
# Generated by iptables-save v1.4.21 on Fri Dec 6 21:53:15 2019
*mangle
:PREROUTING ACCEPT [411507:27753159]
:INPUT ACCEPT [27691:2016606]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [25315:2148519]
:POSTROUTING ACCEPT [25315:2148519]
COMMIT
# Completed on Fri Dec 6 21:53:15 2019
# Generated by iptables-save v1.4.21 on Fri Dec 6 21:53:15 2019
*filter
:INPUT ACCEPT [11945:847202]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [25315:2148519]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Fri Dec 6 21:53:15 2019

Facing the same issue here too. Some help is appreciated,

Thanks in advance,
Regards,
Brian

[jlehtone]

I don't know how L2TP behaves. I recall setting up ipip and ipsec tunnels last decade and I've used openvpn. Those have networks, routing between networks, and filtering of traffic.

I can't, from the OP's description, visualize what networks there are.
It is not clear which devices have power loss. Those reboot after power restore.
There are connections that are lost and have to re-establish.

The default in CentOS 7 is to configure netfilter via firewalld. OP has used iptables.service.
I don't say that firewalld would be better, easier, or even feasible here, but it could be more systematic.

A trivial thing to check are the counters. Which rules are matched?

Code: Select all

sudo iptables -t nat -vnL
sudo iptables -t mangle -vnL
sudo iptables -t filter -vnL

Likewise, the logs of the L2TP could reveal something.