Re: Connection problems on large high speed connections.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> > Apr 28 22:07:47 fire Invalid:  IN=eth1 OUT=
> > MAC=00:d0:b7:1d:cc:7d:00:90:69:f0:b0:20:08:00  SRC=156.56.247.195
> > DST=217.199.xx.18 LEN=1500 TOS=00 PREC=0x00 TTL=53 ID=53186 CE DF
> > PROTO=TCP SPT=80 DPT=33553 SEQ=990104197 ACK=497088462 WINDOW=6432 ACK
> > URGP=0
> 
> the only thing that jumps out at me is that all those packets have the
> CE bit set (Congestion Experienced).  care to share with us the rule
> that creates those log entries?  is it just "-m state --state INVALID -j
> LOG"?  i would be very surprised if setting CE caused a packet to
> identified as INVALID...
> 

Yes of course I share willingly :)

        iptables -L INVALIDDROP -n &>/dev/null ||\
	iptables -N INVALIDDROP
        iptables -A INVALIDDROP -j ULOG --ulog-prefix "Invalid: "
        iptables -A INVALIDDROP -j DROP
	iptables -A INPUT -m state --state INVALID -j INVALIDDROP

This is the lines from my firewall script. It is like you say only -m
state --state INVALID that is used. 

From my iptables -L you can see it's right there at the top:

fire root # iptables -L INPUT -n
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  127.0.0.0/8          127.0.0.0/8
INVALIDDROP  all  --  0.0.0.0/0            0.0.0.0/0           state
INVALID
..... <snip> .....

Best regards
Stian B. Barmen

Attachment: smime.p7s
Description: S/MIME cryptographic signature


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux