INVALID state and no known connection.

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

INVALID state and no known connection.

daniel curtis
Hi

As we know iptables INVALID state means, that
the packet is associated with no known connection,
right? So, if I have a lot of INVALID entries in my
log files, does it means, that something is wrong?
Hidden process etc.?

An example of logged entries;

t4 kernel: [18776.221378] [INVALID in] IN=eth0 OUT=
MAC=mac_address SRC=173.194.70.189 DST=192.168.5.200
LEN=40 TOS=0x00 PREC=0x00 TTL=45 ID=8371
PROTO=TCP SPT=443 DPT=45458 WINDOW=0 RES=0x00
RST URGP=0

t4 kernel: [18262.496058] [INVALID out] IN= OUT=eth0 SRC=192.168.5.200 DST=213.180.146.88 LEN=52
TOS=0x00 PREC=0x00 TTL=64 ID=18981 DF PROTO=TCP
SPT=37190 DPT=80 WINDOW=16576 RES=0x00
ACK FIN URGP=0

For example, lsof -i -n -P command shows only ESTABLISHED
connections; nothing strange, nothing more.

Best regards.
Reply | Threaded
Open this post in threaded view
|

Re: INVALID state and no known connection.

Andika Triwidada



On Tue, Apr 9, 2013 at 11:18 PM, Daniel Curtis <[hidden email]> wrote:
Hi

As we know iptables INVALID state means, that
the packet is associated with no known connection,
right? So, if I have a lot of INVALID entries in my
log files, does it means, that something is wrong?
Hidden process etc.?


Just to be sure
"... INVALID meaning that the packet could not be identified for some reason
which includes running out of memory"

Enough free RAM in that box?

--
andika
Reply | Threaded
Open this post in threaded view
|

Re: INVALID state and no known connection.

daniel curtis
Hi andika.

Another INVALID packet description. I read a lot of
information and I don't know what is the truth. Frankly,
the first time I see a description, which concerns RAM memory.

So, I have a 1 GB of RAM memory. Just for example; free -m
command result;
used: 640, free: 230

and top command;
891896k total, 677284k used, 214612k free

As we can see, system detected 870 MB instead 1 GB (1024 MB).
So what is the relationship between INVALID packets and RAM
memory? Honestly, I don't understand it.
Reply | Threaded
Open this post in threaded view
|

Re: INVALID state and no known connection.

Rolf Kutz-2
Hi Daniel,

On 09/04/13 21:05 +0200, Daniel Curtis wrote:

>Hi andika.
>
>Another INVALID packet description. I read a lot of
>information and I don't know what is the truth. Frankly,
>the first time I see a description, which concerns RAM memory.
>
>So, I have a 1 GB of RAM memory. Just for example; free -m
>command result;
>used: 640, free: 230
>
>and top command;
>891896k total, 677284k used, 214612k free
>
>As we can see, system detected 870 MB instead 1 GB (1024 MB).
>So what is the relationship between INVALID packets and RAM
>memory? Honestly, I don't understand it.

The infomation about connections is stored in
/proc/net/ip_conntrack. The maximum connections
being tracked are configured in
/proc/sys/net/ipv4/netfilter/ip_conntrack_max.

If you have a lot of connections, you might want
to increase the values (f.e. if you use bittorrent
or similar protocols). Every connections beeing
tracked needs some RAM.

You could also check, if the connections timed
out and then increase the timeout values.

HTH Rolf

--
Tres tristes tigres comen trigo en un trigal: un tigre, dos tigres, tres tigres.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/20130409195137.GU26658@...

Reply | Threaded
Open this post in threaded view
|

Re: INVALID state and no known connection.

Reid Sutherland
This whole discussion seems off-topic to me, but I'll try to clear this up.

Daniel, I believe you are seeing a syslog tag called '[INVALID in] ' or '[INVALID out] ', nothing more.  See the LOG target in the iptables man page (eg, -j LOG --log-prefix '[INVALID in] ').



On 2013-04-09, at 3:51 PM, Rolf Kutz <[hidden email]> wrote:

> Hi Daniel,
>
> On 09/04/13 21:05 +0200, Daniel Curtis wrote:
>> Hi andika.
>>
>> Another INVALID packet description. I read a lot of
>> information and I don't know what is the truth. Frankly,
>> the first time I see a description, which concerns RAM memory.
>>
>> So, I have a 1 GB of RAM memory. Just for example; free -m
>> command result;
>> used: 640, free: 230
>>
>> and top command;
>> 891896k total, 677284k used, 214612k free
>>
>> As we can see, system detected 870 MB instead 1 GB (1024 MB).
>> So what is the relationship between INVALID packets and RAM
>> memory? Honestly, I don't understand it.
>
> The infomation about connections is stored in
> /proc/net/ip_conntrack. The maximum connections
> being tracked are configured in
> /proc/sys/net/ipv4/netfilter/ip_conntrack_max.
>
> If you have a lot of connections, you might want
> to increase the values (f.e. if you use bittorrent
> or similar protocols). Every connections beeing
> tracked needs some RAM.
> You could also check, if the connections timed
> out and then increase the timeout values.
>
> HTH Rolf
>
> --
> Tres tristes tigres comen trigo en un trigal: un tigre, dos tigres, tres tigres.
>
>
> --
> To UNSUBSCRIBE, email to [hidden email]
> with a subject of "unsubscribe". Trouble? Contact [hidden email]
> Archive: http://lists.debian.org/20130409195137.GU26658@...
>


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/2214718B-F125-46F1-96EA-9D81C8F74889@...

Reply | Threaded
Open this post in threaded view
|

Re: INVALID state and no known connection.

daniel curtis
Hi Mr Rolf

Okay, I will check these values; /proc/net/ip_conntrack etc.
Generally it is normal, that there are INVALID connections, right?

Yes, I'm seeing this syslog tag. Should I remove it from my iptables
script (e.g. -j LOG --log-prefix etc.)?
Reply | Threaded
Open this post in threaded view
|

Re: INVALID state and no known connection.

daniel curtis
Hi Reid

Okay, no problem. So, everything is fine even with this
INVALID entries in log files?


2013/4/11 Reid Sutherland <[hidden email]>
I don't think you need to remove the syslog tag, just know that when you see that syslog entry, it's related to the rule that has the tag.


On 2013-04-10, at 11:34 AM, Daniel Curtis <[hidden email]> wrote:

> Hi Mr Rolf
>
> Okay, I will check these values; /proc/net/ip_conntrack etc.
> Generally it is normal, that there are INVALID connections, right?
>
> Yes, I'm seeing this syslog tag. Should I remove it from my iptables
> script (e.g. -j LOG --log-prefix etc.)?


Reply | Threaded
Open this post in threaded view
|

Re: INVALID state and no known connection.

daniel curtis

Hi Rolf.

>> The information about connections is stored in
>> /proc/net/ip_conntrack. The maximum connections
>> (...) in /proc/sys/net/ipv4/netfilter/ip_conntrack_max

I checked these values and it looks this way;

# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
55740
# cat /proc/net/ip_conntrack |wc -l
13

Should I change something to limit INVALID packets?
Or it is normal?

Best regards.