Problem accessing (ACK is over the upper bound)

Krzysztof Oledzki ole at
Sun Jul 1 03:04:26 CEST 2007

On Sun, 1 Jul 2007, Krzysztof Oledzki wrote:

> Hello,
> My colleague have just reported that he is unable to access "REGISTER HERE" 
> page from the Short debuging 
> shows that his connection was dropped by the netfilter code running on fw/nat 
> host:
> AFAIK netfilter is supposed to drop such packet (without sending a RST), 
> isn't it? So why the RST packet was sent?

OK, this was easy. The RST was sent simply because the packed was not 
dropped but instead delivered to the local IP - there was no 
valid tuple to change (unnat) the packed destination. Setting:

iptables -I PREROUTING -m conntrack --ctstate INVALID -j DROP

make no more RSTs, only retransmisions from the And yes, I 
have a patched kernel so I'm able to filter packets in a PREROUTING 

The rest of the question remains:

> Setting net.ipv4.netfilter.ip_conntrack_tcp_be_liberal solves the problem, 
> but this is not a right fix and now the main question is: was this ACK really 
> over the upper bound since when 
> net.ipv4.netfilter.ip_conntrack_tcp_be_liberal is enabled it is possible to 
> access this page (of course with many netfilter warnings that "ACK is over 
> the upper bound").
> root at fw1:~# uname -r

Best regards,

 				Krzysztof Olędzki

More information about the netfilter-devel mailing list