Help with invalid packets.

Help with invalid packets.

[Micheal Wolfskill]

I have this rule:
 
 $IPT  -A INPUT -i ${PUB_IF} -m state --state INVALID -j DROP
 
 The problem is its matching legitimate packets of visitors (including me) that navigate my site... As i can see in the logs.
 

 Its not affecting the normal viewing of my site.. but I wish to know 
why it is matching these packets as Iam sure it should not. 
 
 Here is the log entry in syslogd
 
 
 Mar 16 15:29:36  kernel: Invalid  IN =eth0 OUT=
 MAC=00:16:3e:44:bf:02:00:11:92:8b:ff:c4:08:00 SRC=xxx.xxxx.xxxx.xxxxx DST=xxxx.xxxx.xxxx.xxxx LEN=40
 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=TCP SPT=6367 DPT=80 WINDOW=0 RES=0x00 RST URGP=0

Thanks

Mike 		 	   		  

Re: Help with invalid packets.

[Gáspár Lajos]

Hi,

202-03-19 16:39 keltezéssel, Micheal Wolfskill írta:
> Its not affecting the normal viewing of my site.. but I wish to know
> why it is matching these packets as Iam sure it should not.
Don't be so sure! :D

AFAIK iptables/netfilter uses a different state machine than the TCP 
stack in the kernel...

http://userpages.umbc.edu/~jeehye/cmsc491b/lectures/tcpstate/sld001.htm
http://www.lug.or.kr/docs/iptables-tutorial/chunkyhtml/c4219.htm

On this page: 
http://www.lug.or.kr/docs/iptables-tutorial/chunkyhtml/x4436.htm

"If the connection is reset by a RST packet, the state is changed to 
CLOSE. This means that the connection per default has 10 seconds before 
the whole connection is definitely closed down. RST packets are not 
acknowledged in any sense, and will break the connection directly."

Maybe that is the source of your problem. Or there may be some timing 
issues (lifetime of a connection, etc.)

Swifty

Re: Help with invalid packets.

[Maarten Vanraes]

these days, i often have this problem with L3 switches

the problem is asynchronous routing, because the L3 switch decides to route my 
packet directly to the endbox, bypassing the firewall. this happens with 
clients who don't use VLANs on the firewall, but use ip aliasing directly.

Regards,

Op maandag 19 maart 2012 16:39:37 schreef Micheal Wolfskill:
> I have this rule:
> 
>  $IPT  -A INPUT -i ${PUB_IF} -m state --state INVALID -j DROP
> 
>  The problem is its matching legitimate packets of visitors (including me)
> that navigate my site... As i can see in the logs.
> 
> 
>  Its not affecting the normal viewing of my site.. but I wish to know
> why it is matching these packets as Iam sure it should not.
> 
>  Here is the log entry in syslogd
> 
> 
>  Mar 16 15:29:36  kernel: Invalid  IN =eth0 OUT=
>  MAC=00:16:3e:44:bf:02:00:11:92:8b:ff:c4:08:00 SRC=xxx.xxxx.xxxx.xxxxx
> DST=xxxx.xxxx.xxxx.xxxx LEN=40 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=TCP
> SPT=6367 DPT=80 WINDOW=0 RES=0x00 RST URGP=0
> 
> Thanks
> 
> Mike 		 	   		  --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html