Connection problems on large high speed connections.
kadlec at blackhole.kfki.hu
Wed Apr 27 15:47:44 CEST 2005
On Wed, 27 Apr 2005, Stian B. Barmen wrote:
> In the code I added at the end of INPUT, FORWARD and the redirected DMZ
> chain the following:
> iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
> iptables -A FORWARD -p tcp -j REJECT --reject-with tcp-reset
> iptables -A DMZ -p tcp -j REJECT --reject-with tcp-reset
> I removed the --reject-with tcp-reset on each line and the problem
> The strange thing is that this communication should never reach this
> rule. When the communcation is established it should hit the rule:
> -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> Should it not? (this rule runs before the -j DMZ and I have another one
> for INPUT).
Then there were packets flagged as INVALID by conntrack, which are of
course not matched by the states above. The reject line however matched
them and dutifully generated the RST segment, which tore down the
> I have no explanation for this behaviour. Will try to log and see what I
> can find but for now this is all I know.
Enable logging invalid packets by
echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid
and make sure ipt_LOG is loaded in.
E-mail : kadlec at blackhole.kfki.hu, kadlec at sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
More information about the netfilter