invalid state problems

"Gaston" <nosleep@xxxxxxxxxxx> · Thu, 17 Nov 2005 16:51:04 +0100

Hi,

I encounter some problem with iptables 1.3.3 on Mandriva 2006, Kernel 2.6.12. 

Some packets are randomly detected as "INVALID" (and then droped) althought ip_conntrack state is ESTABLISHED. That packets are legitimate traffic and not attacks.

I get in my iptables logs (logs are shrunked, but I get lot's of that lines!):
------------------------------------------------------------------
Nov 17 16:22:28 kernel: INVALID state -- DENY IN=ppp0 OUT= MAC= SRC= DST= LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=7076 DF PROTO=TCP SPT=80 DPT=3152 WINDOW=7749 RES=0x00 ACK FIN URGP=0 

Nov 17 16:22:44 kernel: INVALID state -- DENY IN=ppp0 OUT= MAC= SRC= DST= LEN=40 TOS=0x00 PREC=0x00 TTL=119 ID=40597 DF PROTO=TCP SPT=80 DPT=1806 WINDOW=0 RES=0x00 ACK RST URGP=0 

Nov 17 16:22:56 kernel: INVALID state -- DENY IN=ppp0 OUT= MAC= SRC= DST= LEN=40 TOS=0x00 PREC=0x00 TTL=117 ID=39676 DF PROTO=TCP SPT=80 DPT=3120 WINDOW=0 RES=0x00 ACK RST URGP=0 

Nov 17 16:23:21 kernel: INVALID state -- DENY IN=eth1 OUT=ppp0 SRC= DST= LEN=95 TOS=0x00 PREC=0x00 TTL=63 ID=59142 DF PROTO=TCP SPT=25 DPT=36695 WINDOW=46 RES=0x00 ACK PSH FIN URGP=0 
------------------------------------------------------------------

The first 3 lines are connection from my lan machines to public web servers. 
The last line is linked to a connexion from a remote SMTP server to local mail proxy running postfix. 

My iptables script is generated by fwbuilder and includes as one of the firsts rules : 

------------------------------------------------------------------
# drop packets that do not match any valid state 
#
$IPTABLES -N drop_invalid
$IPTABLES -A OUTPUT   -m state --state INVALID  -j drop_invalid
$IPTABLES -A INPUT    -m state --state INVALID  -j drop_invalid
$IPTABLES -A FORWARD  -m state --state INVALID  -j drop_invalid
$IPTABLES -A drop_invalid  -j LOG  --log-level debug --log-prefix "INVALID state -- DENY "
$IPTABLES -A drop_invalid  -j DROP
------------------------------------------------------------------

Does somebody have advices to try to solve that? 
I tried to play with ip_conntrack option in /proc/sys/net without success. 

Thanks

Fred

Accédez au courrier électronique de La Poste : www.laposte.net ; 
3615 LAPOSTENET (0,34?/mn) ; tél : 08 92 68 13 50 (0,34?/mn)