From mboxrd@z Thu Jan 1 00:00:00 1970 From: Neal Murphy Subject: Re: Why SYN-ACK packets are dropped as INVALID? Date: Thu, 26 Mar 2015 08:53:07 -0400 Message-ID: <201503260853.07382.neal.p.murphy@alum.wpi.edu> References: Reply-To: neal.p.murphy@alum.wpi.edu Mime-Version: 1.0 Content-Transfer-Encoding: QUOTED-PRINTABLE Return-path: In-Reply-To: Sender: netfilter-owner@vger.kernel.org List-ID: Content-Type: Text/Plain; charset="utf-8" To: netfilter@vger.kernel.org On Thursday, March 26, 2015 04:41:21 AM Spenst, Aleksej wrote: > Hi All, >=20 > I=E2=80=99m sending TCP SYN packets to the server. The problem is tha= t the SYN-ACK > packets coming from the server in response are sometimes dropped by m= y > firewall (iptables) as INVALID. I can=E2=80=99t figure out why the fi= rewall sees > these packets invalid. They seem to be Ok. What parameters are taken = into > account by the firewall when making a decision about invalidity of a > packet? >=20 > Example from tcpdump: >=20 > 19:29:22.045106 TCP 60710=E2=86=928080 [S= YN] > Seq=3D2646194936 Win=3D14600 Len=3D0 MSS=3D1460 SACK_PERM=3D1 TSval=3D= 1356920 TSecr=3D0 > WS=3D16 19:29:22.817859 TCP 8080=E2=86=92= 60710 [SYN, > ACK] Seq=3D3920856233 Ack=3D2646194937 Win=3D65535 Len=3D0 MSS=3D1200= SACK_PERM=3D1 >=20 > The ACK sequence number (Ack=3D2646194937) is OK, but I see in my ipt= ables > logs that this SYN-ACK packet is marked as INVALID and dropped. When = the > SYN-ACK packet comes the TCP session is in the state SYN_SENT -> So, = the > states are also OK. Why is this packet invalid then? Does the ACK tell the peer the sequence # of the *next* packet the host= =20 expects to receive? Or does it acknowledge the *last* packet it receive= d? If=20 the latter, then the SYN-ACK as sent is invalid, as it acknowledges a p= acket=20 that hasn't been sent yet.