Hello, I've got a specific device (industrial computer) where its TCP connection are always blocked by netfilter when it tries to connect to my server. Exactly the SYN packet is forwarded to my local process, but, the SYN-ACK answer is always tagged as invalid by the conntrack module, I noticed this behaviour in the following line in kern.log : Jan 14 11:26:15 myhostname kernel: [260283.271861] nf_ct_proto_6: invalid packet ignored in state SYN_RECV IN= OUT= SRC=10.1.1.4 DST=10.1.1.3 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=21 DPT=64004 SEQ=1624381780 ACK=2190670817 WINDOW=64240 RES=0x00 ACK SYN URGP=0 OPT (020405B40101040201030307) The corresponding pcap file can be found here : https://filebin.net/yazmmekhrdiu4dh8/capture_not_work_ano.pcap Also, I do not understand how this connection could be in SYN_RECV conntrack state. This state means that SYN-ACK packet has already been received and I'm sure that no such packet has already been submitted. I also checked with conntrack -L that there is no phantom states before trying to establish a connection with the client. It happens for a specific client, on each of these connection, otherwise the traffic is working very well on the machine for all the other clients. I tried different Linux distribution (kernel version 5.13.0-20-generic or 5.4.0-96-generic), and my packet is always tagged as invalid. Do I miss something ? Anybody has got idea to help me understand (and fix) this case ? Jérôme
