Connection problems on large high speed connections.

Jozsef Kadlecsik kadlec at blackhole.kfki.hu
Wed Apr 27 15:47:44 CEST 2005


On Wed, 27 Apr 2005, Stian B. Barmen wrote:

> In the code I added at the end of INPUT, FORWARD and the redirected DMZ
> chain the following:
>
> iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
> iptables -A FORWARD -p tcp -j REJECT --reject-with tcp-reset
> iptables -A DMZ -p tcp -j REJECT --reject-with tcp-reset
>
> I removed the --reject-with tcp-reset on each line and the problem
> dissapeard.
>
> The strange thing is that this communication should never reach this
> rule. When the communcation is established it should hit the rule:
>
> -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> Should it not? (this rule runs before the -j DMZ and I have another one
> for INPUT).

Then there were packets flagged as INVALID by conntrack, which are of
course not matched by the states above. The reject line however matched
them and dutifully generated the RST segment, which tore down the
connection.

> I have no explanation for this behaviour. Will try to log and see what I
> can find but for now this is all I know.

Enable logging invalid packets by

echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid

and make sure ipt_LOG is loaded in.

Best regards,
Jozsef
-
E-mail  : kadlec at blackhole.kfki.hu, kadlec at sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary



More information about the netfilter mailing list