SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
The decision to call a packet invalid is made by the rules in your firewall script.
You can experiment changing the --log-prefix in the script to see where it is rejected or dropped.
If you want, you can post that section of the script here, but I would understand if you prefer not to.
You can experiment changing the --log-prefix in the script to see where it is rejected or dropped.
There is only one place in the script using that message syntax.
I can post the entire script but I believe the following is all that is needed:
Code:
# base script generated by Easy Firewall Generator
# copyright 2002 Timothy Scott Morizot
# http://easyfwgen.morizot.net/gen/
# slackware specific version available at
# http://www.slackware.com/~alien/efg/
IPT="/usr/sbin/iptables"
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -N bad_packets
$IPT -N bad_tcp_packets
$IPT -N icmp_packets
$IPT -N udp_inbound
$IPT -N udp_outbound
$IPT -N tcp_inbound
$IPT -N tcp_outbound
$IPT -A bad_packets -p ALL -m state --state INVALID -j LOG --log-prefix "Invalid packet: "
$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP
. . .
The log messages are generated by the rule highlighted above.
I don't pretend to understand iptables but I'll follow any cookie crumb trails anybody here leaves. Yeah, I know about the various online tutorials . . . .
This is a very basic filter checking for the state of the packet, where you can have:
--state NEW: New incoming or outgoing connections
--state ESTABLISHED: Packet is associated to an established connection
--state RELATED: New connection, but related to another, existing connection (for example w/ ftp)
--state INVALID: (this is from the man-page) "meaning that the packet could not be identified for some reason which includes running out of memory and ICMP errors which don't correspond to any known connection"
Like I said in a previous post, it might be related to an older connection that your firewall has forgotten already.
In most firewall scripts you'll see lines simply accepting ESTABLISHED / RELATED traffic (since it has already been checked when the connection was NEW).
INVALID usually means that the packet says it belongs to an existing connection (like in this case, it ACKnowledges), but your firewall does not know or does not remember.
Last edited by niels.horn; 04-13-2009 at 03:51 PM.
Wireshark doesn't know/doesn't care about iptables. It lists what packets came in through your network interface.
As niels.horn explained, iptables doesn't recognise the packets in question as packets that belong in to a connection.
I suspect they are (because you said the port numbers were in the netstat output)
You asked why iptables marks these packets as invalid. To answer that question, we need to know the context of the connection when the packet was received. Whitout that context, we can only guess (and some people allready did that).
If you want me to help you, maybe you can upload a capture (if you don't consider the transferred info confidential). If you filter it to one connection, the file probably isn't that big. Remember to post which packet is the "invalid" one.
Once you located the "invalid packet" by looking at the arrival time, you right click on it in wireshark. Choose Conversation Filter->TCP. Then stop capturing, and save the displayed packets to a file. (I choose options displayed, all packets, Wireshark/tcpdump/...)
An error from my previous post:
you can choose how wireshark displays time (view->Time Display Format), so there's no need to check the clock when you start capturing.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.