Large number of invalid packets detected
Brice Figureau
brice+nginx at daysofwonder.com
Sun May 18 18:43:08 MSD 2008
On Sun, May 18, 2008 09:11, Rt Ibmer wrote:
> Hi all - I'm using the latest version of nginx 6 and recently put iptables
> in place.
>
> I am seeing a significant number of matches for the following iptables
> rule:
>
> iptables -A INPUT -m state --state INVALID -j LOG --log-prefix
> INPUT-BAD-PACKET:
> iptables -A INPUT -m state --state INVALID -j DROP
You didn't show us what was important: the log that was produced.
If the rejected packet was a ACK/FIN, then it is harmless.
On busy servers conntrack removes the connection from its table as soon as
it gets the FIN packet. When the ACK/FIN then comes, the connection is not
known and this is not a SYN. It logs it as invalid.
This could also have been a scan (nmap can trigger invalid packets too).
What kernel version are you running?
I remember that there was some issues around 2.6.23.4 about tcp reopening
in nf_conntrack, see this commit for more information:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=b2155e7f70b3f058efe94c0c459db023b05057bd
It was definitely fixed around 2.6.24.3. Maybe you encounter this problem.
HTH,
--
Brice Figureau
Days of Wonder
More information about the nginx
mailing list