Am 07.07.19 um 22:32 schrieb Will Storey: > Hello, > > I've been experiencing sporadic timeouts when connecting to daemons on > 127.0.0.1. I narrowed the cause down to an iptables INPUT rule that blocks > INVALID state packets: > > 603K 24M DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID > > I can work around this by allowing everything on lo before this rule, but > I'm wondering if this is expected or not. > > Here's more about the situation: > > All involved systems are running Ubuntu Bionic with kernel > 4.15.0-52-generic "state INVALID" seems to be completly broken for at least many months when i remove the exception for "lo" VNC over ssh forwarding is fucked up within a few minutes and just freezes, in my case it's configured in "-t mangle" 2 5798 418K DROP all -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
