Hello,
Justin Schoeman a écrit :
(This is logged by a -m state --state INVALID rule in the mangle table.)
The packet is then not natted, but drops into the INPUT chain for the
firewall itself, where it is dropped.
Yes, packets marked in the INVALID state by the connection tracking are
not handled by NAT.
Any idea why this packet may be dropped, or are there other possible
reasons why the connection may be stalling?
If the reason is incorrect sequence numbers with a kernel >= 2.6.9 or
including patch tcp-window-tracking, you can try to enable (value > 0)
the parameter /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
(net.ipv4.netfilter.ip_conntrack_tcp_be_liberal in sysctl) :
ip_conntrack_tcp_be_liberal
when enabled, only out of window reset (RST) segments
are marked as INVALID; when disabled (default), all
out of window packets are marked as INVALID.
