INVALID packets in OUTPUT chain
I have a lightly loaded web server, with an empty (policy ALLOW) INPUT
chain, and a few rules in the OUTPUT chain (so if any of the PHP apps
are attacked, they won't be able to download any nasty stuff).
Every now and then a rule created using the following command:
iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix INVALID --log-tcp-sequence --log-tcp-options --log-ip-options --log-uid
Logs a line such as this:
IN= OUT=eth0 SRC=SERVER DST=CLIENT LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=3935 SEQ=2659281614 ACK=0 WINDOW=0 RES=0x00 RST URGP=0
Looking in the apache's access logs, I can see that in most cases, there
is a (usually successful) request from the logged CLIENT address to the
webserver, almost exactly two minutes before the line is logged.
Can someone explain to me why conntrack thinks it packet is in INVALID
state, if it's generated by the host's TCP stack?
Marcin Owsiany <email@example.com> http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216