Invalid Packets Behind a Router

niels.horn · 04-13-2009, 12:38 PM

The decision to call a packet invalid is made by the rules in your firewall script.

You can experiment changing the --log-prefix in the script to see where it is rejected or dropped.
If you want, you can post that section of the script here, but I would understand if you prefer not to.

Woodsman · 04-13-2009, 01:35 PM

Quote:

You can experiment changing the --log-prefix in the script to see where it is rejected or dropped.

There is only one place in the script using that message syntax.

I can post the entire script but I believe the following is all that is needed:

Code:

# base script generated by Easy Firewall Generator
# copyright 2002 Timothy Scott Morizot
# http://easyfwgen.morizot.net/gen/
# slackware specific version available at
# http://www.slackware.com/~alien/efg/

IPT="/usr/sbin/iptables"
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -N bad_packets
$IPT -N bad_tcp_packets
$IPT -N icmp_packets
$IPT -N udp_inbound
$IPT -N udp_outbound
$IPT -N tcp_inbound
$IPT -N tcp_outbound
$IPT -A bad_packets -p ALL -m state --state INVALID -j LOG --log-prefix "Invalid packet: "
$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP
. .  .

The log messages are generated by the rule highlighted above.

I don't pretend to understand iptables but I'll follow any cookie crumb trails anybody here leaves.

Yeah, I know about the various online tutorials . . . .

Thanks.

niels.horn · 04-13-2009, 03:48 PM

This is a very basic filter checking for the state of the packet, where you can have:

--state NEW: New incoming or outgoing connections
--state ESTABLISHED: Packet is associated to an established connection
--state RELATED: New connection, but related to another, existing connection (for example w/ ftp)
--state INVALID: (this is from the man-page) "meaning that the packet could not be identified for some reason which includes running out of memory and ICMP errors which don't correspond to any known connection"

Like I said in a previous post, it might be related to an older connection that your firewall has forgotten already.

In most firewall scripts you'll see lines simply accepting ESTABLISHED / RELATED traffic (since it has already been checked when the connection was NEW).
INVALID usually means that the packet says it belongs to an existing connection (like in this case, it ACKnowledges), but your firewall does not know or does not remember.

janhe · 04-13-2009, 05:41 PM

Wireshark doesn't know/doesn't care about iptables. It lists what packets came in through your network interface.
As niels.horn explained, iptables doesn't recognise the packets in question as packets that belong in to a connection.

I suspect they are (because you said the port numbers were in the netstat output)

You asked why iptables marks these packets as invalid. To answer that question, we need to know the context of the connection when the packet was received. Whitout that context, we can only guess (and some people allready did that).

If you want me to help you, maybe you can upload a capture (if you don't consider the transferred info confidential). If you filter it to one connection, the file probably isn't that big. Remember to post which packet is the "invalid" one.

Once you located the "invalid packet" by looking at the arrival time, you right click on it in wireshark. Choose Conversation Filter->TCP. Then stop capturing, and save the displayed packets to a file. (I choose options displayed, all packets, Wireshark/tcpdump/...)

An error from my previous post:
you can choose how wireshark displays time (view->Time Display Format), so there's no need to check the clock when you start capturing.