Re: Iptables find invalid packets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Monday 21 of July 2008, Dimitri GOURDON wrote:
> Vladislav Kurz a écrit :
> > On Monday 21 of July 2008, you wrote:
> >> Vladislav Kurz a écrit :
> >>> On Monday 21 of July 2008, Dimitri GOURDON wrote:
> >>>> Hi all,
> >>>>
> >>>> I've setup LVS on a box using Keepalived (and Iptables) to load
> >>>> balance traffic between 2 web servers. I have a problem :
> >>>>
> >>>> A lot of TCP packets with FIN or RST flags (all I think) from clients
> >>>> are dropped by Iptables as state INVALID. The consequence is that I
> >>>> have a lot of connection in FIN_WAIT state (shown by netstat) on the 2
> >>>> web servers...
> >>>
> >>> I have similar problem, and asked about it here. I was told to try
> >>> newer kernel (I run debian stable - 2.6.18). However I didn't upgrade
> >>> yet, but If you run the same kernel as I do and upgrade would help you
> >>> I'd like to here about that.
> >>
> >> I run 2.6.18-4-bigmem kernel. I've passed just a little to test a more
> >> recent but I stop because I've encountered problem with some iptables
> >> rules...
> >
> > Temporary workaround is only to LOG invalid packets instead of DROP. The
> > system then becomes quite usable. Anyway try newer kernel if you can.
> > Or describe more in detail what problems with what rules did you have.
>
> Here are my rules :
>
> $IPTABLES is iptables bin file
> $EXT is external interface
> $IP_V1 is the virtual IP clients reach
>
>
> $IPTABLES -N LOG_INVALID
> $IPTABLES -A LOG_INVALID -j LOG --log-prefix '[iptables_invalid] : '
> $IPTABLES -A LOG_INVALID -j DROP
>
> $IPTABLES -A INPUT -i $EXT -p TCP --dport 443 -d $IP_V1 -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -i $EXT -p TCP
> --dport 443 -d $IP_V1 -m state --state INVALID -j LOG_INVALID
>
> I don't want to accept invalid packet because they are suppose to be
> invalid... All (I think) FIN and RST flagged packets from clients are
> dropped.

I was told that 2.6.18 has some bug in conntrack which causes valid packets to 
be marked as invalid. So you probably want to accept some of those invalid 
packets. Anyway try this setting it may lower the number of invalid packets:

echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal

However in my case even after this I see a lot of invalid packets.


-- 
Regards
        Vladislav Kurz
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux