[prev in list] [next in list] [prev in thread] [next in thread]
List: netfilter
Subject: Some packets flagged INVALID
From: "Bob Sauvage" <Bob.sauvage () gmx ! fr>
Date: 2014-02-18 21:52:18
Message-ID: 20140218215218.194660 () gmx ! com
[Download RAW message or body]
Hi *,
I'm running a high volume web application that uses Apache 2.2.15 mod_proxy to \
reverse proxy content from apache to JBoss 6.
I found 503 errors which happen sporadically throughout the day on random requests \
(perhaps 1/1000 of daily requests).
After investigations, I noticed that every error coincides with an invalid tcp \
packet:
kernel: invalid:IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 \
SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=33082 DF PROTO=TCP \
SPT=48340 DPT=8080 WINDOW=32792 RES=0x00 SYN URGP=0
After some investigations, this SYN packet is not acknowledged by JBoss in order to \
perform the TCP 3-Way Handshake. Mhmm, strange, I decide to investigate in firewall \
rules, build by another sysadmin:
In the INPUT chain, I found a rule that logs and REJECTS all INVALID packets:
iptables -A INPUT -m state --state INVALID -j LOG --log-prefix "invalid:"
iptables -A INPUT -m state --state INVALID -j REJECT
Then logs and REJECTS not SYN but new:
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix \
"new-not-syn:" iptables -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT \
--reject-with tcp-reset
I decided to add a rule in order to ACCEPT all packets from 127.0.0.1 to or from port \
8080.
Since this update, I don't see this kind of errors anymore.
Why does iptables tag this packet as invalid ?
Thanks,
Bob
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic