Connection problems on large high speed connections.

Stian B. Barmen stian at barmen.nu
Fri Apr 29 00:56:44 CEST 2005


> > Apr 28 22:07:47 fire Invalid:  IN=eth1 OUT=
> > MAC=00:d0:b7:1d:cc:7d:00:90:69:f0:b0:20:08:00  SRC=156.56.247.195
> > DST=217.199.xx.18 LEN=1500 TOS=00 PREC=0x00 TTL=53 ID=53186 CE DF
> > PROTO=TCP SPT=80 DPT=33553 SEQ=990104197 ACK=497088462 WINDOW=6432 ACK
> > URGP=0
> 
> the only thing that jumps out at me is that all those packets have the
> CE bit set (Congestion Experienced).  care to share with us the rule
> that creates those log entries?  is it just "-m state --state INVALID -j
> LOG"?  i would be very surprised if setting CE caused a packet to
> identified as INVALID...
> 

Yes of course I share willingly :)

        iptables -L INVALIDDROP -n &>/dev/null ||\
	iptables -N INVALIDDROP
        iptables -A INVALIDDROP -j ULOG --ulog-prefix "Invalid: "
        iptables -A INVALIDDROP -j DROP
	iptables -A INPUT -m state --state INVALID -j INVALIDDROP

This is the lines from my firewall script. It is like you say only -m
state --state INVALID that is used. 

From my iptables -L you can see it's right there at the top:

fire root # iptables -L INPUT -n
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  127.0.0.0/8          127.0.0.0/8
INVALIDDROP  all  --  0.0.0.0/0            0.0.0.0/0           state
INVALID
..... <snip> .....

Best regards
Stian B. Barmen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2685 bytes
Desc: not available
Url : /pipermail/netfilter/attachments/20050429/b47270e4/smime.bin


More information about the netfilter mailing list