Connection tracking debugging?!

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I've done some changes in a remote site, managed by a linux/netfilter
firewall; mostly i've added more clients, but also changed connectivity
(provider).


After that i've started to catch some little troubles, eg random
disconnection in videoconferencing (Zoom) and in and ICA client. Seems
to me vaguely a 'connection tracking' trouble...

I'v added this rules:

 iptables -A std-cleanup -m conntrack --ctstate INVALID -m limit --limit 1/sec -j LOG --log-prefix "C=std-cleanup A=inv L=err "
 iptables -A std-cleanup -m conntrack --ctstate INVALID -j DROP

linked to INPUT and FORWARD chain, ed effectively i catch 'invalid'
event:

 May 25 11:45:49 prosecco kernel: [789480.844612] C=std-cleanup A=inv L=err IN=enp0s25 OUT=ppp0 MAC=6c:3b:e5:0f:02:e9:dc:4a:3e:42:19:29:08:00 SRC=10.10.2.169 DST=93.41.169.27 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=16685 DF PROTO=TCP SPT=50944 DPT=443 WINDOW=0 RES=0x00 RST URGP=0 
 May 25 11:45:50 prosecco kernel: [789482.292680] C=std-cleanup A=inv L=err IN=enp0s25 OUT=ppp0 MAC=6c:3b:e5:0f:02:e9:dc:4a:3e:42:19:29:08:00 SRC=10.10.2.169 DST=93.41.169.27 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=16873 DF PROTO=TCP SPT=50940 DPT=443 WINDOW=0 RES=0x00 RST URGP=0 
 May 25 11:50:00 prosecco kernel: [789732.718655] C=std-cleanup A=inv L=err IN=enp0s25 OUT=ppp0 MAC=6c:3b:e5:0f:02:e9:dc:4a:3e:42:19:29:08:00 SRC=10.10.2.169 DST=93.41.169.27 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=30802 DF PROTO=TCP SPT=51274 DPT=443 WINDOW=0 RES=0x00 RST URGP=0 

so seems to me that by some way the connection tracking 'loose' the
tracking, and clearly afterward the package get marked invalid, forcing
a reconnection.


Using 'conntrack' helper, lead nothing strange to me, or at least
nothing different from other similar installation that instead works as
expected.


How can i 'debug' this issue? Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux