[...]
IN= OUT=eth0 SRC=ROUTER DST=193.108.155.115 LEN=68 TOS=0x00 PREC=0xC0 TTL=64 ID=22467 PROTO=ICMP TYPE=11 CODE=0 [SRC=193.108.155.115 DST=A.LAN.HOST LEN=40 TOS=0x00 PREC=0x00 TTL=1 ID=40760 PROTO=ICMP TYPE=8 CODE=0 ID=20244 SEQ=45126 ]
Why would you consider these packets invalid - TYPE=11 is "time exceeded", CODE=0 is "maximum lifetime of the datagram exceeded" - for whatever reason those packets are generated ...
I have (roughly) the following rules in the script:
iptables -A OUTPUT -m state --state INVALID -j LOG \ --log-prefix "Fired invalid:" iptables -A OUTPUT -m state --state INVALID -j DROP
These rules worked at the records I posted.
Well, IMHO these rules will work for tcp/udp connections - but as of icmp, the following occurs:
ICMP-echo request 193.108.155.115 -> A.LAN.HOST , which is unreachable, thus "time exceeded".
Now take a look at "man iptables", what it says about "INVALID":
"... Possible states are INVALID meaning that the packet could not be identified for some reason which includes running out of memory and ICMP errors which don't correspond to any known connection, ... "
and indeed, this is the case - your ICMP error does not correspond to any known connection, as an ICMP-echo request is always "NEW" .
You should probably allow any outgoing ICMP-traffic to resolv this issue.
Regards, Michael
