On Mon, 9 Jun 2008, Thomas Bätzler wrote: > Patrick McHardy wrote: > > > Thomas Bätzler wrote: > > > iptables -t nat -A PREROUTING -m state --state INVALID \ > > > -j LOG > > > iptables -t nat -A PREROUTING -m state --state INVALID \ > > > -j DROP > > > > These rules need to go in mangle, that nat table is only > > traversed for the first packet of a connection. > > I've changed my ruleset as you suggested, and now I'm seeing > packets being filtered. I'll wait and see how that's affecting > stability and throughput of the connection. > > In any case I'm wondering why netfilter doesn't consider these > packets to be part of a connection. Is there a known problem > with netfilter and TCP SACK? In these cases usually there is a device sitting between the firewall running netfilter and the server/client machine, which randomizes the TCP sequence numbers but fails to propagate the changes to the SACK fields. Thus the SACK values are totally bogus and therefore netfilter marks them as INVALID. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary
