INVALID packets in OUTPUT chain

Marcin Owsiany · External Since: Jan 26, 2005 Posts: 145

I have a lightly loaded web server, with an empty (policy ALLOW) INPUT
chain, and a few rules in the OUTPUT chain (so if any of the PHP apps
are attacked, they won't be able to download any nasty stuff).

Every now and then a rule created using the following command:

iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix INVALID --log-tcp-sequence --log-tcp-options --log-ip-options --log-uid

Logs a line such as this:

IN= OUT=eth0 SRC=SERVER DST=CLIENT LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=3935 SEQ=2659281614 ACK=0 WINDOW=0 RES=0x00 RST URGP=0

Looking in the apache's access logs, I can see that in most cases, there
is a (usually successful) request from the logged CLIENT address to the
webserver, almost exactly two minutes before the line is logged.

Can someone explain to me why conntrack thinks it packet is in INVALID
state, if it's generated by the host's TCP stack?

--
Marcin Owsiany <porridge.DeleteThis@debian.org> http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216

--
To UNSUBSCRIBE, email to debian-isp-REQUEST.DeleteThis@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.DeleteThis@lists.debian.org

Marcin Owsiany · External Since: Jan 26, 2005 Posts: 145

On Wed, Aug 08, 2007 at 08:15:22PM +0200, Wojciech Ziniewicz wrote:
> So I would look on broken winxp clients.
> U should test it from linux or vista machine.

I am really not bothered about INVALID packets coming in from the
outside. What I am wondering about is why the kernel itself generates
INVALID packets?

--
Marcin Owsiany <porridge.DeleteThis@debian.org> http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216

--
To UNSUBSCRIBE, email to debian-isp-REQUEST.DeleteThis@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.DeleteThis@lists.debian.org

Marcin Owsiany · External Since: Jan 26, 2005 Posts: 145

On Wed, Aug 08, 2007 at 08:18:00PM +0100, Marcin Owsiany wrote:
> On Wed, Aug 08, 2007 at 08:15:22PM +0200, Wojciech Ziniewicz wrote:
> > So I would look on broken winxp clients.
> > U should test it from linux or vista machine.
>
> I am really not bothered about INVALID packets coming in from the
> outside. What I am wondering about is why the kernel itself generates
> INVALID packets?

Just to let you know, I added some logging to the INPUT chain as well,
and it seems that indeed some INVALID packets on input can cause INVALID
or even NEW packets on output. I guess it's just an incarnation of the
old garbage-in--garbage-out rule..

--
Marcin Owsiany <porridge RemoveThis @debian.org> http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216

--
To UNSUBSCRIBE, email to debian-isp-REQUEST RemoveThis @lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster RemoveThis @lists.debian.org