state: INVALID

Björn Schmidt bj-schmidt at uni-paderborn.de
Sun Nov 21 23:46:45 CET 2004 

Jason Opperisano wrote:
> On Sat, 2004-11-20 at 18:18, Björn Schmidt wrote:
>>Jason Opperisano wrote:
>>Here is a(n older) packet that is _falsely_ classified as INVALID (should be
>>ESTABLISHED). I changed the IP-adress and hostname in the meantime:
>>
>>Oct 29 13:51:05 skyron ILLEGAL_PACKET IN= OUT=eth0 MAC= SRC=192.168.1.1 
>>DST=192.168.1.2 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=22 
>>DPT=33085 SEQ=1048000056 ACK=1050690244 WINDOW=5792 ACK SYN URGP=0
> 
> well--this is a SYN-ACK packet...without seeing the log rule that
> creates this "ILLEGAL_PACKET" entry, i can't say.

I changed the log rule(s) that creates "ILLEGAL_PACKET", now it creates
"OUTPUT_INVALID", "INPUT_INVALID" and "FORWARD_INVALID". Here is one line
from the log with the new rules (client):

Nov 21 23:21:43 gigabyte OUTPUT_INVALID IN= OUT=eth0 MAC= SRC=192.168.1.2 
DST=192.168.1.1 LEN=52 TOS=00 PREC=0x00 TTL=64 ID=23692 DF PROTO=TCP SPT=32807 
DPT=22 SEQ=798630945 ACK=685050669 WINDOW=1460 ACK URGP=0

The state of this packet should be ESTABLISHED, but it _is_ INVALID.
Perhaps there is a bug in ipsec or netfilter...

 > my guess is that your rules do not match your intentions.

Impossible. I have this problem even with this _minimalistic_ ruleset:

gigabyte:~# cat firewall.tmp
#!/bin/sh

iptables  -P INPUT DROP
iptables  -P OUTPUT DROP
iptables  -P FORWARD DROP

iptables  -A INPUT   -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
iptables  -A OUTPUT  -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
iptables  -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT

iptables -A INPUT -m state --state INVALID -j ULOG --ulog-prefix INPUT_INVALID
iptables -A OUTPUT -m state --state INVALID -j ULOG --ulog-prefix OUTPUT_INVALID
iptables -A FORWARD -m state --state INVALID -j ULOG --ulog-prefix FORWARD_INVALID

>>Besides I forgot to mention that i only get "false INVALID" states with
>>activated IPsec (esp in transport mode, kernel 2.6). With IPsec _AND_ iptables
>>it es NOT possible to establish a new tcp connection due to these "INVALID
>>state packets".
> 
> uh huh...  post your rules:
> 
> iptables -t mangle -vnxL

gigabyte:~# iptables -t mangle -vnxL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
     pkts      bytes target     prot opt in     out     source 
destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
     pkts      bytes target     prot opt in     out     source 
destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
     pkts      bytes target     prot opt in     out     source 
destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
     pkts      bytes target     prot opt in     out     source 
destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
     pkts      bytes target     prot opt in     out     source 
destination


> iptables -t nat -vnxL

gigabyte:~# iptables -t nat -vnxL
Chain PREROUTING (policy ACCEPT 7 packets, 1515 bytes)
     pkts      bytes target     prot opt in     out     source 
destination

Chain POSTROUTING (policy ACCEPT 26 packets, 2637 bytes)
     pkts      bytes target     prot opt in     out     source 
destination

Chain OUTPUT (policy ACCEPT 26 packets, 2565 bytes)
     pkts      bytes target     prot opt in     out     source 
destination

> iptables -vnxL

gigabyte:~# iptables -vnxL
Chain INPUT (policy DROP 0 packets, 0 bytes)
     pkts      bytes target     prot opt in     out     source 
destination
     2460  2616788 ACCEPT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state NEW,RELATED,ESTABLISHED
        0        0 ULOG       all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state INVALID ULOG copy_range 0 nlgroup 1 prefix 
`INPUT_INVALID' queue_threshold 1

Chain FORWARD (policy DROP 0 packets, 0 bytes)
     pkts      bytes target     prot opt in     out     source 
destination
        0        0 ACCEPT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state NEW,RELATED,ESTABLISHED
        0        0 ULOG       all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state INVALID ULOG copy_range 0 nlgroup 1 prefix 
`FORWARD_INVALID' queue_threshold 1

Chain OUTPUT (policy DROP 38 packets, 2036 bytes)
     pkts      bytes target     prot opt in     out     source 
destination
     1938   959688 ACCEPT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state NEW,RELATED,ESTABLISHED
       38     2036 ULOG       all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state INVALID ULOG copy_range 0 nlgroup 1 prefix 
`OUTPUT_INVALID' queue_threshold 1


Hmmm, it is not possible to establish a ssh connection, but it IS
possible to establish a telnet connection (but it needs ~148 seconds
until the "skyron login:" appears).

-- 
Greetings
Bjoern Schmidt

More information about the netfilter mailing list