I added a rule with this matching pattern to the iptables firewall on my machine.
-m conntrack --ctstate ESTABLISHED,RELATED
I am logging the matches, the only packets matching are icmp destination unreachable packets that are responses to - a udp packet sent to dest ports 1026 or 1027 that has the source IP of my machine.
My first concern was to see if my machine was infected with some malware.
I have now done parallel tcpdump tracing, (among other tests) and I now think the original udp packets do not come from me, but rather that someone is spoofing my IP address.
So, I have come here to try to confirm that this match is either a misuse of the conntrack module by me (surely possible), or else a bug in connection tracking.
I have split the rule, and I am getting matches on both ESTABLISHED and RELATED. I do not see in /proc/net/ip_conntrack any entry that I think should match. These icmp packets are at a low frequency, a few a day.
I can solve the immediate issue by ignoring it, but I thought I should report the problem, and see what I can learn.
I have looked at the netfilter mailing lists with great interest, and I have learned a great deal, but I do not see any easy way to search them systematically for this issue.
I started looking for help here:
http://www.linuxquestions.org/questions/showthread.php?threadid=158226
and there are sample log entries there, if if matters. But it seemed as if this list was the next place to go.
Regards,
Jim Laurino
