Re: INVALID packets in OUTPUT chain

To: "Debian ISP Mailing List" <debian-isp@lists.debian.org>
Subject: Re: INVALID packets in OUTPUT chain
From: "Wojciech Ziniewicz" <wojciech.ziniewicz@gmail.com>
Date: Wed, 8 Aug 2007 20:15:22 +0200
Message-id: <[🔎] d1473ad90708081115v6320f413x29e80a8e6b2ea6d1@mail.gmail.com>
In-reply-to: <[🔎] 20070808174450.GA21698@beczulka>
References: <[🔎] 20070808174450.GA21698@beczulka>

2007/8/8, Marcin Owsiany <porridge@debian.org>:
> I have a lightly loaded web server, with an empty (policy ALLOW) INPUT
> chain, and a few rules in the OUTPUT chain (so if any of the PHP apps
> are attacked, they won't be able to download any nasty stuff).
>
> Every now and then a rule created using the following command:
>
> iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix INVALID --log-tcp-sequence --log-tcp-options --log-ip-options --log-uid
>
> Logs a line such as this:
>
> IN= OUT=eth0 SRC=SERVER DST=CLIENT LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=3935 SEQ=2659281614 ACK=0 WINDOW=0 RES=0x00 RST URGP=0
>
> Looking in the apache's access logs, I can see that in most cases, there
> is a (usually successful) request from the logged CLIENT address to the
> webserver, almost exactly two minutes before the line is logged.
>
> Can someone explain to me why conntrack thinks it packet is in INVALID
> state, if it's generated by the host's TCP stack?

I have an snort+guardian IDS with postgresql almost only for logging
the traffic between my apache farm and internet. Don't know if it's
relevant for your case but i'm receiving many alarms for squirrelmail
and nagios and almost everytime it's connected with an invalid packet
(only winxp users, vista and linux are OK ) . Snort was automatically
denying FORWARD on router so i  shut it down.
In squirrelmail it was writing a new email and after clicking "send"
some users were cut off because of an broken tcp stack (i suppose ;) )
 . On nagios it was simply "status map" . This error was generated
only for clients connected with polish adsl . From Lan - there were no
errors.
Also there are many many errors in winxp tcp implementation (like
sending invalid udp header in torrent connections that was including
their NATed private adresses etc .etc.etc - a long story).
So I would look on broken winxp clients.
U should test it from linux or vista machine.

regardz.


-- 
Wojciech Ziniewicz
Unix SEX :{look;gawk;find;sed;talk;grep;touch;finger;find;fl
ex;unzip;head;tail; mount;workbone;fsck;yes;gasp;fsck;more;yes;yes;eje
ct;umount;makeclean; zip;split;done;exit:xargs!!;)}

Reply to:

Follow-Ups:
- Re: INVALID packets in OUTPUT chain
  - From: Marcin Owsiany <porridge@debian.org>

References:
- INVALID packets in OUTPUT chain
  - From: Marcin Owsiany <porridge@debian.org>

Prev by Date: INVALID packets in OUTPUT chain
Next by Date: Re: INVALID packets in OUTPUT chain
Previous by thread: INVALID packets in OUTPUT chain
Next by thread: Re: INVALID packets in OUTPUT chain
Index(es):
- Date
- Thread