why TCP packet marked as INVALID?

why TCP packet marked as INVALID?

Post by rhendr » Tue, 13 May 2008 03:52:05



It occasionally happens that iptables mistaken packets state as
INVALID.  I am not sure if it is a bug in conntrack module or my
program.  The computer is running CentOS 5, linux v2.6.18, iptables
1.3.5.

here is output from tcpdump.   iptables think the first packet with
PUSH flag is invalid and send a ICMP error back,  how could it be?   I
saw from the /proc/net/ip_conntrack, which says the connection has
been established.

05:02:41.990223 IP (tos 0x0, ttl  51, id 36907, offset 0, flags [DF],
proto 6, length: 52) 192.168.0.2.10293 > 192.168.0.1.http: S [tcp sum
ok] 74621992:74621992(0) win 5840 <mss 1460,nop,nop,sackOK,nop,wscale
0>
05:02:41.990237 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF],
proto 6, length: 52) 192.168.0.1.http > 192.168.0.2.10293: S [tcp sum
ok] 3715753311:3715753311(0) ack 74621993 win 5840 <mss
1460,nop,nop,sackOK,nop,wscale 2>
05:02:42.213568 IP (tos 0x0, ttl  51, id 36908, offset 0, flags [DF],
proto 6, length: 40) 192.168.0.2.10293 > 192.168.0.1.http: . [tcp sum
ok] 1:1(0) ack 1 win 5840

05:02:42.222226 IP (tos 0x0, ttl  51, id 36909, offset 0, flags [DF],
proto 6, length: 173) 192.168.0.2.10293 > 192.168.0.1.http: P
1:134(133) ack 1 win 5840
05:02:42.222238 IP (tos 0xc0, ttl 255, id 60554, offset 0, flags
[none], proto 1, length: 201) 192.168.0.1 > 192.168.0.2: icmp 181:
host 192.168.0.1 unreachable - admin prohibited for IP (tos 0x0, ttl
51, id 36909, offset 0, flags [DF], proto 6, length: 173) 192.168.0.2

Quote:> 192.168.0.1.http: P 1:134(133) ack 1 win 5840

It really confused me and I googled a lot and no lucky.  Any comments
is greatly appreciated.

Hendry

 
 
 

1. why is this an invalid packet

I am logging the dropped invalid packets by my iptables script. I get
quite a bit in my log file (a few lines every hour):

Jan 25 15:24:29 red kernel: Invalid Outgoing IN= OUT=eth0
SRC=192.168.0.2 DST=194.109.137.218 LEN=52 TOS=0x00 PREC=0x00 TTL=64
ID=306 DF PROTO=TCP SPT=44797 DPT=80 WINDOW=25884 RES=0x00 ACK PSH FIN
URGP=0

How can I determine why this packet was determined to be invalide. The
rule to check invalid state comes after the rules allowing lo traffic
and allowing packtes related to realplayer.

Thanks,
->HS

--
Please remove the underscores ( the '_' symbols) from my email address
to obtain the correct one. Apologies, but the fudging is to remove spam.

2. XDM crashes!

3. How to convert TCP/IP packet to IPX packet and visa-versa ?

4. Process statistics

5. Backing up to HP/UX from Linux and FreeBSD

6. Create TCP syn packet with given seq num and few other TCP parameters

7. stop a on VT Terminal

8. Tracing TCP/IP packets from NIC to TCP

9. TCP/IP: Slow packets every so often, even with the TCP patch.

10. ipchains & packet marking

11. IP Chains rules relating to fragments and marking a packet

12. Enabling Netfilters to Mark packets in Red-Hat