Home » Forums » Linux » Linux general

Packets in OUTPUT matched as INVALID by iptables

Submitted by Anonymous
on January 9, 2005 - 8:58am

I am not sure this is the right place to make this post, but anyway...

So I have this line in my firewall script...

iptables -A OUTPUT -0 eth0 -m state --state INVALID -j DROP

...and the problem is that after I upgraded from 2.6.7 kernel (to 2.6.9, then to 2.6.10) it started matching a lot of packets, although I did not change anything in my firewall script. My assumption would be that iptables somehow forgets the real state of these packets (should be ESTABLISHED according to me). Internet performance doesn't seem to suffer and I can use it just fine, but it's still wrong nevertheless.

Here is an example of the said packet...

SRC=192.168.321.123 DST=123.321.123.321 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=60656 DF PROTO=TCP SPT=2261 DPT=80 WINDOW=8030 RES=0x00 ACK PSH FIN URGP=0

TCP flags differ, but it's never a SYN packet. Also should note that they are always HTTP(S) packets, but I do not use other protocols much. Hope you understand my lousy terminology...

‹ Supporting dynamic fibre channel volumes Keyboard does not work when swithcing from KDM to any text console with self compiled Debian Kernel 2.6.8 ›

Addition: it seems to happen

Anonymous (not verified)
on
January 11, 2005 - 8:29am

Addition: it seems to happen to any TCP traffic if used continuously for a long time. Also this tends to happen in bursts.

Timeouts? Out of memory? Bug?

I report same problem

Anonymous (not verified)
on
January 29, 2005 - 1:41pm

I've noticed the same problem copying lot of data from a windoze machine to my samba share on slackware 10/2.6.10. Catching the invalid packets results in 'delayed write' and lost data under windoze.

I removed the firewall catch in order not to run in problems (on my local net only...)

FC3 x Iptables x Kernel 2.6 = Too many Invalid Packets!?

João Dalben (not verified)
on
February 28, 2005 - 6:50am

I'm with the same problem too (FC3 - 2.6.10-1.766_FC3), a lot of INVALID packets, but in both directions (input, output). But in my case i fell performance lost. I'm searching over the internet, bus i'm not finding nothing... Bacause this i'm thinking in reinstall FC1 back in server :/
Something to think:
1) The kernel 2.6.x is more rigorous with the packets?
2) Out of memory?? The packet needs more time being analized?
3) Bug??
4) ?¿¿?

João Dalben.

New things in 2.6.10

Anonymous (not verified)
on
March 1, 2005 - 5:22am

You probably need a new iptables (1.2.11). I upgraded our firewall (MDK10.1) to 2.6.10 and it refused to accept my nat rules.
An iptables upgrade from .9 to .11 fixed that.

- Peder

It seems that I am already us

Author of post #1 (not verified)
on
March 1, 2005 - 11:17am

It seems that I am already using iptables v1.2.11 (on Debian Sid) and it doesn't work nevertheless. From what I can see, it is actually kernel 2.6.10 to be blamed, because people reported it not working on various distributions. Well, stable 2.6.11 is comming out shortly, and we shall see if it will work. If not, well... I should probably yell at my distro, or compile the latest version of iptables myself. But I am lazy and stuff...

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.