Packets marked INVALID in FORWARD rule

Posted by Raphink on Server Fault See other posts from Server Fault or by Raphink
Published on 2012-10-19T10:25:43Z Indexed on 2012/10/19 11:07 UTC
Read the original article Hit count: 215

Filed under:
|
|

I have a firewall that has 3 IP aliases on 1 physical interface. Packets get dropped between these 3 interfaces (either ICMP, HTTP, or anything else). We tracked it down to these packets being marked INVALID in the FORWARD rule and dropped due to the this rule:

chain FORWARD {
    policy DROP;

    # connection tracking
    mod state state INVALID LOG log-prefix 'INVALID FORWARD DROP: '; 
    mod state state INVALID DROP;
    mod state state (ESTABLISHED RELATED) ACCEPT;
}

(That is, we see the INVALID FORWARD DROP logs in dmesg)

What could be causing this?

© Server Fault or respective owner

Related posts about iptables

Related posts about firewall