Share your knowledge at the LQ Wiki.
Go Back > Forums > Linux Forums > Linux - Server
User Name
Linux - Server This forum is for the discussion of Linux Software used in a server related context.


  Search this Thread
Old 03-05-2010, 10:28 AM   #1
Registered: Apr 2006
Location: Athens, Greece
Distribution: slackware, debian, ubuntu
Posts: 647

Rep: Reputation: 38
iptables drop packets as invalid between 2 end-network connected through VPN

hello everyone,
i am setting up a linux box as router / firewall.currently, im setting up the firewall on that machine..

the situation is :

there are 2 networks, the home network and the work network.

i am connecting the 2 with a vpn connection. the openvpn server is a pc in the home network..

the router/ firewall linux box is another pc in the home network, which i 'inserted' between the ISP modem and the internal switch of my home network.

i have managed to connect the vpn server in the home net to the vpn client at work net and so i can ping directly from the home net ( to the work net ( without using the vpn ip space at all ( which is great..

i did however try to open a remote desktop connection from a home windows pc to a work windows pc and it didnt work. checking the output with dmesg in the firewall linux box it says
Invalid packet: IN=eth0 OUT=eth0 SRC= DST= LEN=59 TOS=0x00 PREC=0x00 TTL=127 ID=35708 PROTO=TCP SPT=2016 DPT=3389 WINDOW=65535 RES=0x00 ACK PSH URGP=0
any ideas why the packet is considered invalid?

Last edited by nass; 03-05-2010 at 10:56 AM.
Old 03-05-2010, 10:56 AM   #2
Registered: Apr 2006
Location: Athens, Greece
Distribution: slackware, debian, ubuntu
Posts: 647

Original Poster
Rep: Reputation: 38
EDIT: my FORWARD chain looks like

echo "Process FORWARD chain ..."

$IPT -A FORWARD -p ALL -j bad_packets #this is were the problem occurs
$IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_outbound
$IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_outbound

#traffic from ( and from (

#to listening port ofvpn server
$IPT -A FORWARD -p tcp --destination-port 1194 -j ACCEPT
$IPT -A FORWARD -p udp --destination-port 1194 -j ACCEPT
and bad_packets chain contains the following relevant part

# Drop INVALID packets immediately
$IPT -A bad_packets -p ALL -m state --state INVALID -j LOG \
--log-prefix "Invalid packet: "

$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP
so guess i could place the accept rule for the work_net traffic above the -j bad_packets redirection... but i'm not sure this is good practice....

also is there some big security hole in the forward chain that i could do without??

thank you for your help


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] iptables routing packets on the same sub-network Evstrati Linux - Networking 3 02-17-2010 02:50 PM
can't telnet to a VPN when another NIC is connected to a private network in CENTOS freeburn Linux - Networking 5 12-13-2009 05:18 PM
drop packets for specific port with iptables ohcarol Linux - Security 1 07-03-2005 11:48 AM
iptables - drop all -> allow needed OR allow all -> drop specific lucastic Linux - Security 5 12-21-2004 03:07 AM
drop incoming/outgoing packets using iptables doshiaj Linux - Security 1 06-08-2004 11:38 AM > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 11:49 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration