From: Vladislav Kurz <vladislav.kurz@webstep.net>
To: netfilter@vger.kernel.org
Cc: Dimitri GOURDON <dgourdon@itool.com>
Subject: Re: Iptables find invalid packets
Date: Mon, 21 Jul 2008 17:11:20 +0200 [thread overview]
Message-ID: <200807211711.20463.vladislav.kurz@webstep.net> (raw)
In-Reply-To: <4884A414.10408@itool.com>
On Monday 21 of July 2008, Dimitri GOURDON wrote:
> Vladislav Kurz a écrit :
> > On Monday 21 of July 2008, you wrote:
> >> Vladislav Kurz a écrit :
> >>> On Monday 21 of July 2008, Dimitri GOURDON wrote:
> >>>> Hi all,
> >>>>
> >>>> I've setup LVS on a box using Keepalived (and Iptables) to load
> >>>> balance traffic between 2 web servers. I have a problem :
> >>>>
> >>>> A lot of TCP packets with FIN or RST flags (all I think) from clients
> >>>> are dropped by Iptables as state INVALID. The consequence is that I
> >>>> have a lot of connection in FIN_WAIT state (shown by netstat) on the 2
> >>>> web servers...
> >>>
> >>> I have similar problem, and asked about it here. I was told to try
> >>> newer kernel (I run debian stable - 2.6.18). However I didn't upgrade
> >>> yet, but If you run the same kernel as I do and upgrade would help you
> >>> I'd like to here about that.
> >>
> >> I run 2.6.18-4-bigmem kernel. I've passed just a little to test a more
> >> recent but I stop because I've encountered problem with some iptables
> >> rules...
> >
> > Temporary workaround is only to LOG invalid packets instead of DROP. The
> > system then becomes quite usable. Anyway try newer kernel if you can.
> > Or describe more in detail what problems with what rules did you have.
>
> Here are my rules :
>
> $IPTABLES is iptables bin file
> $EXT is external interface
> $IP_V1 is the virtual IP clients reach
>
>
> $IPTABLES -N LOG_INVALID
> $IPTABLES -A LOG_INVALID -j LOG --log-prefix '[iptables_invalid] : '
> $IPTABLES -A LOG_INVALID -j DROP
>
> $IPTABLES -A INPUT -i $EXT -p TCP --dport 443 -d $IP_V1 -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -i $EXT -p TCP
> --dport 443 -d $IP_V1 -m state --state INVALID -j LOG_INVALID
>
> I don't want to accept invalid packet because they are suppose to be
> invalid... All (I think) FIN and RST flagged packets from clients are
> dropped.
I was told that 2.6.18 has some bug in conntrack which causes valid packets to
be marked as invalid. So you probably want to accept some of those invalid
packets. Anyway try this setting it may lower the number of invalid packets:
echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
However in my case even after this I see a lot of invalid packets.
--
Regards
Vladislav Kurz
prev parent reply other threads:[~2008-07-21 15:11 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-07-21 12:20 Iptables find invalid packets Dimitri GOURDON
2008-07-21 12:58 ` Bernhard Bock
2008-07-21 13:23 ` Dimitri GOURDON
[not found] ` <48849E47.30901@itool.com>
2008-07-21 14:39 ` Bernhard Bock
2008-07-21 15:01 ` Dimitri GOURDON
2008-07-21 15:44 ` Dimitri GOURDON
2008-07-21 16:02 ` Bernhard Bock
2008-07-21 13:06 ` Vladislav Kurz
[not found] ` <48849F8F.70103@itool.com>
2008-07-21 14:49 ` Vladislav Kurz
[not found] ` <4884A414.10408@itool.com>
2008-07-21 15:11 ` Vladislav Kurz [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200807211711.20463.vladislav.kurz@webstep.net \
--to=vladislav.kurz@webstep.net \
--cc=dgourdon@itool.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox