Packets marked INVALID in FORWARD rule
Posted
by
Raphink
on Server Fault
See other posts from Server Fault
or by Raphink
Published on 2012-10-19T10:25:43Z
Indexed on
2012/10/19
11:07 UTC
Read the original article
Hit count: 215
I have a firewall that has 3 IP aliases on 1 physical interface. Packets get dropped between these 3 interfaces (either ICMP, HTTP, or anything else). We tracked it down to these packets being marked INVALID in the FORWARD rule and dropped due to the this rule:
chain FORWARD {
policy DROP;
# connection tracking
mod state state INVALID LOG log-prefix 'INVALID FORWARD DROP: ';
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
}
(That is, we see the INVALID FORWARD DROP
logs in dmesg
)
What could be causing this?
© Server Fault or respective owner