Connection problems on large high speed connections.

Stian B. Barmen stian at
Fri Apr 29 00:56:44 CEST 2005

> > Apr 28 22:07:47 fire Invalid:  IN=eth1 OUT=
> > MAC=00:d0:b7:1d:cc:7d:00:90:69:f0:b0:20:08:00  SRC=
> > DST=217.199.xx.18 LEN=1500 TOS=00 PREC=0x00 TTL=53 ID=53186 CE DF
> > PROTO=TCP SPT=80 DPT=33553 SEQ=990104197 ACK=497088462 WINDOW=6432 ACK
> > URGP=0
> the only thing that jumps out at me is that all those packets have the
> CE bit set (Congestion Experienced).  care to share with us the rule
> that creates those log entries?  is it just "-m state --state INVALID -j
> LOG"?  i would be very surprised if setting CE caused a packet to
> identified as INVALID...

Yes of course I share willingly :)

        iptables -L INVALIDDROP -n &>/dev/null ||\
	iptables -N INVALIDDROP
        iptables -A INVALIDDROP -j ULOG --ulog-prefix "Invalid: "
        iptables -A INVALIDDROP -j DROP
	iptables -A INPUT -m state --state INVALID -j INVALIDDROP

This is the lines from my firewall script. It is like you say only -m
state --state INVALID that is used. 

From my iptables -L you can see it's right there at the top:

fire root # iptables -L INPUT -n
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --
INVALIDDROP  all  --             state
..... <snip> .....

Best regards
Stian B. Barmen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2685 bytes
Desc: not available
Url : /pipermail/netfilter/attachments/20050429/b47270e4/smime.bin

More information about the netfilter mailing list