iptables drops _some_ valid packets

All of lore.kernel.org
 help / color / mirror / Atom feed

* iptables drops _some_ valid packets
@ 2006-09-19 13:52 Daniel 
  2006-09-19 16:31 ` Pascal Hambourg
  0 siblings, 1 reply; 3+ messages in thread
From: Daniel  @ 2006-09-19 13:52 UTC (permalink / raw)
  To: netfilter

Hi all,
Im running a small network behind a firewall running iptables 1.3.5 doing NAT.
The firewall has two NICs, eth0 for the LAN and eth1 to a adsl modem.

Im having problems with iptables dropping some packets that belong to
an established/valid connection. I think this only occurs with
http/https traffic. For example, if I have a client on LAN browsing
somesite.com the connection gets tracked and iptables allows packets
coming and going but, and here is my problem, it will drop *some*
packets coming from somesite.com . Hence my logs get filled with this
packets that should have gone through.
As you might imagine this is rather annoying, even more so when I
havent been able to find a solution browsing google for countless
hours. Please if this post lacks information, let me know and Ill post
whatever you need.

Thank you,

Daniel.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: iptables drops _some_ valid packets
  2006-09-19 13:52 iptables drops _some_ valid packets Daniel 
@ 2006-09-19 16:31 ` Pascal Hambourg
  2006-09-19 17:16   ` Daniel 
  0 siblings, 1 reply; 3+ messages in thread
From: Pascal Hambourg @ 2006-09-19 16:31 UTC (permalink / raw)
  To: netfilter

Hello,

Daniel a écrit :
> 
> Im having problems with iptables dropping some packets that belong to
> an established/valid connection.

If the kernel is >= 2.6.9 or includes the patch "tcp-window-tracking" 
from the Netfilter patch-o-matic-ng, try to set the kernel parameter 
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal to 1.
See 
http://www.netfilter.org/projects/patch-o-matic/pom-submitted.html#pom-submitted-tcp-window-tracking

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: iptables drops _some_ valid packets
  2006-09-19 16:31 ` Pascal Hambourg
@ 2006-09-19 17:16   ` Daniel 
  0 siblings, 0 replies; 3+ messages in thread
From: Daniel  @ 2006-09-19 17:16 UTC (permalink / raw)
  To: netfilter

Hello,
Setting /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal to 1
did not solve the issue.

Thanks

On 9/19/06, Pascal Hambourg <pascal.mail@plouf.fr.eu.org> wrote:
> Hello,
>
> Daniel a écrit :
> >
> > Im having problems with iptables dropping some packets that belong to
> > an established/valid connection.
>
> If the kernel is >= 2.6.9 or includes the patch "tcp-window-tracking"
> from the Netfilter patch-o-matic-ng, try to set the kernel parameter
> /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal to 1.
> See
> http://www.netfilter.org/projects/patch-o-matic/pom-submitted.html#pom-submitted-tcp-window-tracking
>
>


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2006-09-19 17:16 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-09-19 13:52 iptables drops _some_ valid packets Daniel 
2006-09-19 16:31 ` Pascal Hambourg
2006-09-19 17:16   ` Daniel

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.