Re: state: INVALID

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sat, 2004-11-20 at 18:18, BjÃrn Schmidt wrote:
> Jason Opperisano wrote:
> >>the ulogd logfile of my server shows many "INVALID state" packets. What could
> >>be the reason for that?
> > 
> > my guess would be because you have a log rule that logs on "-m state
> > --state INVALID"
> 
> Yes, of course. ;)
> 
> >>The server has one cardbus nic (eth0), one dsl-interface (ppp0) and, of course
> >>lo. The client has only eth0 and lo. The kernel version of both computers is
> >>2.6.10-rc2
> >>
> >>syslogemu.log:Nov 19 20:31:52 kilobyte INPUT_INVALID IN=eth0 OUT= 
> >>MAC=00:d0:b7:01:ce:2a:00:04:e2:7f:90:41:08:00  SRC=192.168.0.2 DST=192.168.0.1 
> >>LEN=52 TOS=00 PREC=0x00 TTL=64 ID=1680 DF PROTO=TCP SPT=32899 DPT=3130 
> >>SEQ=4260699581 ACK=510793293 WINDOW=5080 ACK FIN URGP=0
>  >
>  > this is a FIN-ACK packet from the client to the server for an ICP
>  > session.
> 
> Ooops, i picked exactly the entries from the log which are _really_ invalid.
> Sorry for that (it was to late at night...).
> 
> Here is a(n older) packet that is _falsely_ classified as INVALID (should be
> ESTABLISHED). I changed the IP-adress and hostname in the meantime:
> 
> Oct 29 13:51:05 skyron ILLEGAL_PACKET IN= OUT=eth0 MAC= SRC=192.168.1.1 
> DST=192.168.1.2 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=22 
> DPT=33085 SEQ=1048000056 ACK=1050690244 WINDOW=5792 ACK SYN URGP=0

well--this is a SYN-ACK packet...without seeing the log rule that
creates this "ILLEGAL_PACKET" entry, i can't say.  my guess is that your
rules do not match your intentions.
  
> Besides I forgot to mention that i only get "false INVALID" states with
> activated IPsec (esp in transport mode, kernel 2.6). With IPsec _AND_ iptables
> it es NOT possible to establish a new tcp connection due to these "INVALID
> state packets".

uh huh...  post your rules:

  iptables -t mangle -vnxL && iptables -t nat -vnxL && iptables -vnxL

> There is also a (german) thread at debian-users-german where we tried to solve 
> this problem, without success:
>   http://lists.debian.org/debian-user-german/2004/10/msg02735.html

-j

--
"'Nuke the whales?' You don't really believe that, do you?
 I dunno. Gotta nuke something."
	--The Simpsons
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux