On Sun, May 18, 2008 09:11, Rt Ibmer wrote:
Hi all - I’m using the latest version of nginx 6 and recently put iptables
in place.I am seeing a significant number of matches for the following iptables
rule:iptables -A INPUT -m state --state INVALID -j LOG --log-prefix
INPUT-BAD-PACKET:
iptables -A INPUT -m state --state INVALID -j DROP
You didn’t show us what was important: the log that was produced.
If the rejected packet was a ACK/FIN, then it is harmless.
On busy servers conntrack removes the connection from its table as soon
as
it gets the FIN packet. When the ACK/FIN then comes, the connection is
not
known and this is not a SYN. It logs it as invalid.
This could also have been a scan (nmap can trigger invalid packets too).
What kernel version are you running?
I remember that there was some issues around 2.6.23.4 about tcp
reopening
in nf_conntrack, see this commit for more information:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=b2155e7f70b3f058efe94c0c459db023b05057bd
It was definitely fixed around 2.6.24.3. Maybe you encounter this
problem.
HTH,