On Thursday, March 26, 2015 04:41:21 AM Spenst, Aleksej wrote: > Hi All, > > I’m sending TCP SYN packets to the server. The problem is that the SYN-ACK > packets coming from the server in response are sometimes dropped by my > firewall (iptables) as INVALID. I can’t figure out why the firewall sees > these packets invalid. They seem to be Ok. What parameters are taken into > account by the firewall when making a decision about invalidity of a > packet? > > Example from tcpdump: > > 19:29:22.045106 <my IP> <Server IP> TCP 60710→8080 [SYN] > Seq=2646194936 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=1356920 TSecr=0 > WS=16 19:29:22.817859 <Server IP> <my IP> TCP 8080→60710 [SYN, > ACK] Seq=3920856233 Ack=2646194937 Win=65535 Len=0 MSS=1200 SACK_PERM=1 > > The ACK sequence number (Ack=2646194937) is OK, but I see in my iptables > logs that this SYN-ACK packet is marked as INVALID and dropped. When the > SYN-ACK packet comes the TCP session is in the state SYN_SENT -> So, the > states are also OK. Why is this packet invalid then? Does the ACK tell the peer the sequence # of the *next* packet the host expects to receive? Or does it acknowledge the *last* packet it received? If the latter, then the SYN-ACK as sent is invalid, as it acknowledges a packet that hasn't been sent yet. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
