Re: 'Invalid packet' problem since upgrading

[Pascal Hambourg <pascal@plouf.fr.eu.org>]

Hello,

Allen Seelye a écrit :
> 
> I have a PC acting as a firewall and router, using iptables. We have a
> Wii-U inside the network and until a few days ago, it had no
> connectivity problems at all. I upgraded the firewall PC from Kubuntu
> 10.04 to 12.04 and suddenly the Wii-U cannot connect.
> 
> It would appear that this is not a problem with the Wii-U. If I connect
> it directly to the Optimum modem, everything works fine. It's something
> wonky with the Kubuntu PC, since I upgraded. Nothing in my
> iptables.rules has changed. I'm using the same set of rules as before
> the upgrade.

Did you check with iptables-save that the actual resulting ruleset is
the same as before ?

> Other things I've tried:
> 
> I've opened the firewall up completely, allowing all traffic through.
> I've explicitly allowed all traffic on all ports, to and from the Wii-U.
> I've tried running several older kernels.

Even the old kernel from the previous version of Ubuntu that ran fine ?

> I've tried shutting down apparmor.
> 
> None of these have worked.
> 
> The only thing that did work, was to remove the Kubuntu box completely
> and connect my switch directly to the Optimum modem.
> 
> I have no rules in place restricting the Wii-U at all. I do a grep in
> syslog for the Wii-U's IP and I get a lot of this:
> 
> --------------------------
> kernel: [ 7236.919902] Invalid packet: IN=eth0 OUT=eth1
> MAC=00:c0:f0:2d:9e:b4:18:2a:7b:85:09:e5:08:00 SRC=192.168.58.38
> DST=23.43.226.90 LEN=1042 TOS=0x00 PREC=0x00 TTL=63 ID=3693 PROTO=TCP
> SPT=1772 DPT=443 WINDOW=32768 RES=0x00 ACK PSH FIN URGP=0
> --------------------------

What is the match which produces this message ? Is it based on the
INVALID state ? I wonder if a segment with data, FIN and PSH flags is
valid...
Note that such messages may not be harmful, this could be a duplicate
FIN segment from an old forgotten connection. On several cases I have
seen a supposedly error message that was actually unrelated to the problem.

> If I'm interpreting this correctly, it thinks that there is a problem
> with the packets coming from the Wii-U and it's dropping them. I've
> tried removing the rule that drops invalid packets and it stopped
> putting these warnings in the log, but the Wii-U still can't connect to
> the Nintendo network.

If the problem is related to connection tracking, then it will affect
also the NAT operation, and from the private address in the log I guess
you need masquerading. If a packet is in the INVALID state, then it is
ignored by the NAT table and leaves the router with its original private
source address unmodified (which you can check with a packet capture on
the external interface). Such packet will of course be discarded on the
public internet. If the TCP connection tracking is over-zealous, you can
try to make it more tolerant by setting
/proc/sys/net/netfilter/nf_conntrack_tcp_be_liberal to 1.