From: "Spenst, Aleksej" <Aleksej.Spenst@harman.com>
To: "netfilter@vger.kernel.org" <netfilter@vger.kernel.org>
Subject: Why SYN-ACK packets are dropped as INVALID?
Date: Thu, 26 Mar 2015 08:41:21 +0000 [thread overview]
Message-ID: <CBA35483CE5B4D4B804BF128A77A61651B66E56B@HIKAWSEXMB02.ad.harman.com> (raw)
Hi All,
I’m sending TCP SYN packets to the server. The problem is that the SYN-ACK packets coming from the server in response are sometimes dropped by my firewall (iptables) as INVALID. I can’t figure out why the firewall sees these packets invalid. They seem to be Ok. What parameters are taken into account by the firewall when making a decision about invalidity of a packet?
Example from tcpdump:
19:29:22.045106 <my IP> <Server IP> TCP 60710→8080 [SYN] Seq=2646194936 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=1356920 TSecr=0 WS=16
19:29:22.817859 <Server IP> <my IP> TCP 8080→60710 [SYN, ACK] Seq=3920856233 Ack=2646194937 Win=65535 Len=0 MSS=1200 SACK_PERM=1
The ACK sequence number (Ack=2646194937) is OK, but I see in my iptables logs that this SYN-ACK packet is marked as INVALID and dropped.
When the SYN-ACK packet comes the TCP session is in the state SYN_SENT -> So, the states are also OK. Why is this packet invalid then?
Thank you!
Aleksej.
next reply other threads:[~2015-03-26 8:41 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-26 8:41 Spenst, Aleksej [this message]
2015-03-26 12:53 ` Why SYN-ACK packets are dropped as INVALID? Neal Murphy
2015-03-26 13:25 ` AW: " Spenst, Aleksej
2015-03-26 13:27 ` Joel Gerber
2015-03-26 16:14 ` AW: " Spenst, Aleksej
2015-03-26 19:09 ` Joel Gerber
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CBA35483CE5B4D4B804BF128A77A61651B66E56B@HIKAWSEXMB02.ad.harman.com \
--to=aleksej.spenst@harman.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.