On Sun, May 18, 2008 09:11, Rt Ibmer wrote:
Hi all - I’m using the latest version of nginx 6 and recently put iptables
I am seeing a significant number of matches for the following iptables
iptables -A INPUT -m state --state INVALID -j LOG --log-prefix
iptables -A INPUT -m state --state INVALID -j DROP
You didn’t show us what was important: the log that was produced.
If the rejected packet was a ACK/FIN, then it is harmless.
On busy servers conntrack removes the connection from its table as soon
it gets the FIN packet. When the ACK/FIN then comes, the connection is
known and this is not a SYN. It logs it as invalid.
This could also have been a scan (nmap can trigger invalid packets too).
What kernel version are you running?
I remember that there was some issues around 22.214.171.124 about tcp
in nf_conntrack, see this commit for more information:
It was definitely fixed around 126.96.36.199. Maybe you encounter this