Problem with conntrack, all packet are marked as invalid.

Baake, Matthias m.baake at porta.de
Thu Aug 25 16:16:03 CEST 2005


Hi

if you have a static ip situation i would use the snat target, thats not the problem but just noticed..
please post your iptables startup script or the output of iptables-save.
one thing i've never seen before is the "ctstate" output anybody any idea?!

greets matthias

> -----Original Message-----
> From: netfilter-bounces at lists.netfilter.org
> [mailto:netfilter-bounces at lists.netfilter.org]On Behalf Of 
> Tien-Ren Chen
> Sent: Wednesday, August 24, 2005 4:51 PM
> To: netfilter at lists.netfilter.org
> Subject: Problem with conntrack, all packet are marked as invalid.
> 
> 
>   Hi all,
> I'm updating the kernel of my NAT box running Gentoo 
> distribution, from 
> 2.6.8-gentoo to 2.6.12-nitro5.
> After that, forwarding of packets from outside(the internet) to local 
> seems down.
> I examined my iptables, and found this line do not catch 
> packets anymore.
>  233M  167G ACCEPT     all  --  out    in      0.0.0.0/0            
> 0.0.0.0/0           ctstate RELATED,ESTABLISHED
> I added the following rules to check what happened:
>     8   424 LOG        all  --  *      *       140.112.90.73        
> 0.0.0.0/0           ctstate INVALID LOG flags 0 level 4
>     0     0 LOG        all  --  *      *       140.112.90.73        
> 0.0.0.0/0           ctstate NEW LOG flags 0 level 4
>     0     0 LOG        all  --  *      *       140.112.90.73        
> 0.0.0.0/0           ctstate ESTABLISHED LOG flags 0 level 4
>     0     0 LOG        all  --  *      *       140.112.90.73        
> 0.0.0.0/0           ctstate RELATED LOG flags 0 level 4
> All packets are marked as INVALID, however, connection 
> tracking works well:
> $ cat /proc/net/ip_conntrack
> tcp      6 429538 ESTABLISHED src=172.21.0.2 dst=140.112.90.73 
> sport=1669 dport=23 packets=440 bytes=18445 src=140.112.90.73 
> dst=140.109.224.64 sport=23 dport=1669 packets=362 bytes=185484 
> [ASSURED] mark=0 use=1
> 
> I'm not sure if it's a netfilter bug or it's my misconfiguration.
> I tried searching on the google and the netfilter FAQs, but no luck.
> Does anyone have some clue for it? Thanks for any help.
> --
> Tien-Ren Chen, 2005/08/24.
> 
> Sorry for my bad English.
> --
> 
> Here's my network configuration:
> out:  140.109.224.64/24 connect to internet with static adsl
> in:   172.21.0.1/24     bridge two local networks (hub + giga)
> hub:  (null)            connect to my 100m switch
> giga: (null)            connect to my laptop dock
> 
> Here's my original iptables rules:
> Chain INPUT (policy ACCEPT 312M packets, 149G bytes)
>  pkts bytes target     prot opt in     out     source               
> destination
> 
> Chain FORWARD (policy DROP 67 packets, 49048 bytes)
>  pkts bytes target     prot opt in     out     source               
> destination
>  233M  167G ACCEPT     all  --  out    in      0.0.0.0/0            
> 0.0.0.0/0           ctstate RELATED,ESTABLISHED
>  236M  142G ACCEPT     all  --  in     out     0.0.0.0/0            
> 0.0.0.0/0
> 1679K   86M ACCEPT     tcp  --  out    *       0.0.0.0/0            
> 172.21.0.2          tcp dpt:12664
>   10M  628M ACCEPT     udp  --  out    *       0.0.0.0/0            
> 172.21.0.2          udp dpt:12764
>  624K   33M ACCEPT     tcp  --  out    *       0.0.0.0/0            
> 172.21.0.2          tcp dpt:12666
> 41496 5019K ACCEPT     all  --  in     in      0.0.0.0/0            
> 0.0.0.0/0
>   518 25096 ACCEPT     tcp  --  out    *       0.0.0.0/0            
> 172.21.0.2          tcp dpt:80
> 
> Chain OUTPUT (policy ACCEPT 471M packets, 500G bytes)
>  pkts bytes target     prot opt in     out     source               
> destination
> 
> Chain PREROUTING (policy ACCEPT 19M packets, 1152M bytes)
>  pkts bytes target     prot opt in     out     source               
> destination
>     0     0 DROP       all  --  out    *       172.21.0.0/24        
> 0.0.0.0/0
> 1677K   84M DNAT       tcp  --  out    *       0.0.0.0/0            
> 0.0.0.0/0           tcp dpt:12664 to:172.21.0.2
>   10M  634M DNAT       udp  --  out    *       0.0.0.0/0            
> 0.0.0.0/0           udp dpt:12764 to:172.21.0.2
>  639K   33M DNAT       tcp  --  out    *       0.0.0.0/0            
> 0.0.0.0/0           tcp dpt:12666 to:172.21.0.2
>   362 17652 DNAT       tcp  --  out    *       0.0.0.0/0            
> 0.0.0.0/0           tcp dpt:80 to:172.21.0.2
> 
> Chain POSTROUTING (policy ACCEPT 14M packets, 861M bytes)
>  pkts bytes target     prot opt in     out     source               
> destination
> 8970K  572M MASQUERADE  all  --  *      out     172.21.0.0/24        
> 0.0.0.0/0
> 
> Chain OUTPUT (policy ACCEPT 1468K packets, 126M bytes)
>  pkts bytes target     prot opt in     out     source               
> destination
> 
> 
> 



More information about the netfilter mailing list