Problem accessing (ACK is over the upper bound)

Krzysztof Oledzki ole at
Mon Jul 2 20:17:00 CEST 2007

On Mon, 2 Jul 2007, Patrick McHardy wrote:

> Krzysztof Oledzki wrote:
>> OK, this was easy. The RST was sent simply because the packed was not
>> dropped but instead delivered to the local IP - there was no valid tuple
>> to change (unnat) the packed destination. Setting:
>> iptables -I PREROUTING -m conntrack --ctstate INVALID -j DROP
> We should really document that with window tracking and NAT you
> must drop INVALID packets to avoid them getting delivered locally
> and causing a RST.

Indeed. There should be a big, fat warning about dropping in INPUT (and 
probably FORWARD). The question is where: Kconfig (NAT)? man iptables? 
both? ;)

>> make no more RSTs, only retransmisions from the And yes, I
>> have a patched kernel so I'm able to filter packets in a PREROUTING chain.
> Dropping works without any patches.

Yes, in INPUT. I discovered that such packets goes to INPUT shortly after 
I had written this mail. Before that I had put this in PREROUTING, which 
is not possible by default.

Best regards,

 			Krzysztof Olędzki

More information about the netfilter-devel mailing list