INVALID packets in OUTPUT chain

To: Debian ISP Mailing List <debian-isp@lists.debian.org>
Subject: INVALID packets in OUTPUT chain
From: Marcin Owsiany <porridge@debian.org>
Date: Wed, 8 Aug 2007 18:44:50 +0100
Message-id: <[🔎] 20070808174450.GA21698@beczulka>
Mail-followup-to: Debian ISP Mailing List <debian-isp@lists.debian.org>

I have a lightly loaded web server, with an empty (policy ALLOW) INPUT
chain, and a few rules in the OUTPUT chain (so if any of the PHP apps
are attacked, they won't be able to download any nasty stuff).

Every now and then a rule created using the following command:

iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix INVALID --log-tcp-sequence --log-tcp-options --log-ip-options --log-uid

Logs a line such as this:

IN= OUT=eth0 SRC=SERVER DST=CLIENT LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=3935 SEQ=2659281614 ACK=0 WINDOW=0 RES=0x00 RST URGP=0

Looking in the apache's access logs, I can see that in most cases, there
is a (usually successful) request from the logged CLIENT address to the
webserver, almost exactly two minutes before the line is logged.

Can someone explain to me why conntrack thinks it packet is in INVALID
state, if it's generated by the host's TCP stack?

-- 
Marcin Owsiany <porridge@debian.org>             http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216  FE67 DA2D 0ACA FC5E 3F75  D6F6 3A0D 8AA0 60F4 1216

Reply to:

Follow-Ups:
- Re: INVALID packets in OUTPUT chain
  - From: "Wojciech Ziniewicz" <wojciech.ziniewicz@gmail.com>
- Re: INVALID packets in OUTPUT chain
  - From: Gavin Westwood <debian-isp@solutium.co.uk>

Prev by Date: Re: iptables conntrack: packets not matching a rule occasionally?
Next by Date: Re: INVALID packets in OUTPUT chain
Previous by thread: Re: amavis-new not adding X-Spam-Status header
Next by thread: Re: INVALID packets in OUTPUT chain
Index(es):
- Date
- Thread